Splunk - How to find the first appearance of queries

219 Views Asked by Yarin Michael Bouzaglo At 03 November 2025 at 07:37

I am trying to filter events in Splunk that contain a unique field (payload.procName) that have not been seen before today. Specifically, I am looking for events that contain the payload.procName field that are appearing for the first time today. How can I filter these events to only show the unique payload.procName values that have been seen today but never seen before?

I've try this query :

tags.appInstance=your_index earliest=-1d latest= now() payload.procName NOT in 
    [| search tags.appInstance= your_index  earliest=-1mon@mon latest=-1d table payload.procName 
    | dedup payload.procName ] 
| table payload.procName 
| dedup payload.procName

Original Q&A

There are 1 best solutions below

RichG On 23 January 2023 at 15:15 BEST ANSWER

You have the general format for the query. See if this helps. It removes the IN keyword (incorrectly used as in) because the subsearch does not return results compatible with that operator. It also uses the format command to explicitly format the results. Run the subsearch by itself to see what I mean.

tags.appInstance=your_index earliest=-1d latest= now() payload.procName=* NOT 
  [search tags.appInstance= your_index earliest=-1mon@mon latest=-1d payload.procName=*
  | fields payload.procName
  | dedup payload.procName
  | format ] 
| dedup payload.procName
| table payload.procName

Splunk - How to find the first appearance of queries

There are 1 best solutions below

Related Questions in SPLUNK

Related Questions in SPLUNK-QUERY

Related Questions in SPLUNK-DASHBOARD

Related Questions in SPLUNK-FORMULA

Trending Questions

Popular # Hahtags

Popular Questions