Splunk Filter the latest event
Using stats latest() by _
then, where _ to filter if latest() is matched a condition
Example logs
Feb 16 09:23:49.368178 python3_tooling INFO host=vm001 component=com.example.doTest action=getHostIpByName status=finished time=1427220 severity=info Feb 16 09:00:02.147521 python3_tooling INFO host=vm001 component=com.example.doTest action=getHostIpByName status=start severity=info Feb 15 09:20:57.645556 python3_tooling INFO host=vm001 component=com.example.doTest action=getHostIpByName status=finished time=1255478 severity=info Feb 15 09:00:02.166598 python3_tooling INFO host=vm001 component=com.example.doTest action=getHostIpByName status=start severity=info Feb 14 09:21:43.950554 python3_tooling INFO host=vm001 component=com.example.doTest action=getHostIpByName status=finished time=1302546 severity=info Feb 14 09:00:01.404406 python3_tooling INFO host=vm001 component=com.example.doTest action=getHostIpByName status=start severity=info Feb 13 09:12:03.234726 python3_tooling ERROR host=vm001 component=com.example.doTest action=getHostIpByName status=error time=720920 cmd=[xxxx An error occurred (NoSuchBucket) when calling the PutObject operation: The specified bucket does not exist Hint: This is mostly caused by an unauthorized kms key id or an invalid kms key id: returncode=None', 'Backup FAILED.'] severity=err
Normal search will get you the result of the action getHostIpByName by host vm001
index=* host=* sourcetype=python source=/mnt/log/python (status="error") | table _time, host, status, time
It will result the entry
Feb 13 09:12:03.234726 python3_tooling ERROR host=vm001 component=com.example.doTest action=getHostIpByName status=error time=720920
Filter out
Below search query will expose if the latest status is error. In this case, the latest(status) status is “finished”, so the result will be empty
index=* host=* sourcetype=python source=/mnt/log/python | stats latest(_time) as _time, latest(status) as status by host | where status="error" | table _time, host, status, time