topic Re: How to search for the latest field value that is not equal to a certain value? in Splunk Search

How to search for the latest field value that is not equal to a certain value?

Glasses — Wed, 30 Sep 2020 01:59:28 GMT

Hi
Just not having luck with my syntax.
I have proofpoint logs and I am looking for the latest final_action value that is not equal to continue...
For example
Index=Proofpoint sourcetype=mail_logs | stats latest(final_action) gives me the last value... like if it was rejected or continued
The challenge I have is searching for latest final_action != continue...
The purpose here is that the final action can change from "discard" to "continue" so I want to filter on the "latest"...

Any advice appreciated...

Re: How to search for the latest field value that is not equal to a certain value?

mayurr98 — Wed, 04 Sep 2019 17:25:33 GMT

try this :

Index=Proofpoint sourcetype=mail_logs final_action!=continue | stats latest(final_action)

Index=Proofpoint sourcetype=mail_logs 
| stats latest(eval(case(final_action!="continue",final_action))) as "final_action"

Re: How to search for the latest field value that is not equal to a certain value?

Glasses — Wed, 30 Sep 2020 02:04:01 GMT

Thank you for the reply but neither are what I am looking for...
There are multiple events per email that contain "final_action", if an event with final_action=discard arrives at 10:41 another event for the same email can arrive later at 10:42 where final_action=continue, this is because there are a sequence of filters checking the email...
So I only want to find emails where the last or latest final_action!=continue...
Hope that makes sense... thank you

Re: How to search for the latest field value that is not equal to a certain value?

Glasses — Wed, 30 Sep 2020 02:04:16 GMT

what I am trying to do is use this
index=proofpoint sourcetype=mail "@somedomain.com" "connection.helo"=".somename.com"|stats latest(final_action) by msg.header.subject{} msg.header.to{} msg.header.from{}

which gives me all the emails with the latest final_action value.... but now I need to filter out any final_action which is discard , reject etc...

any advice appreciated... Thank you

Re: How to search for the latest field value that is not equal to a certain value?

mayurr98 — Wed, 30 Sep 2020 02:03:28 GMT

so you could add the actions that you want in the main search. final_action="discard" OR final_action="reject" OR...

Re: How to search for the latest field value that is not equal to a certain value?

Glasses — Wed, 04 Sep 2019 20:16:15 GMT

apparently this works but I don't know if its the best way.... index=proofpoint sourcetype=mail "@somedomain.com" "connection.helo"=".somename.com"|stats latest(final_action) by msg.header.subject{} msg.header.to{} msg.header.from{} |WHERE final_action!="continue"

if anyone can confirm or improve, it is much appreciated...

Re: How to search for the latest field value that is not equal to a certain value?

masonmorales — Wed, 04 Sep 2019 20:31:31 GMT

This is the best way.

Re: How to search for the latest field value that is not equal to a certain value?

masonmorales — Wed, 30 Sep 2020 02:03:31 GMT

If you want to blacklist multiple final_actions, you could do:
index=proofpoint sourcetype=mail "@somedomain.com" "connection.helo"=".somename.com"|stats latest(final_action) as final_action by msg.header.subject{} msg.header.to{} msg.header.from{} | search NOT final_action IN (continue, discard, reject)

Re: How to search for the latest field value that is not equal to a certain value?

mayurr98 — Wed, 04 Sep 2019 20:39:29 GMT

index=proofpoint sourcetype=mail "@somedomain.com" "connection.helo"=".somename.com" final_action!="continue" |stats latest(final_action) by msg.header.subject{} msg.header.to{} msg.header.from{}

this will be faster

Re: How to search for the latest field value that is not equal to a certain value?

Glasses — Wed, 30 Sep 2020 02:04:21 GMT

@mayurr98 thank you but if I define final_action!=continue then I might not get the latest final_action values. Each email has more than one final_action but the last or latest one indicates where it continued to deliver or got dropped /discarded... I appreciate you stay with the thread though...

Re: How to search for the latest field value that is not equal to a certain value?

mayurr98 — Wed, 04 Sep 2019 20:50:04 GMT

then filtering at the end is the only option

Re: How to search for the latest field value that is not equal to a certain value?

Glasses — Wed, 04 Sep 2019 20:50:10 GMT

my only improvement I might need is defining the latest(final_action) as FINAL so that it looks at the values for the latest... but IDK - still validating

....| stats  latest(final_action) as FINAL  by _time msg.header.subject{} msg.header.to{}  msg.header.from{} |WHERE FINAL!="continue"

Re: How to search for the latest field value that is not equal to a certain value?

Glasses — Wed, 04 Sep 2019 20:54:48 GMT

nope does not look at the time, does not retain the time comparison of the final_action events... have to rewrite...

Re: How to search for the latest field value that is not equal to a certain value?

Glasses — Fri, 13 Sep 2019 13:12:40 GMT

Final note, the issue is that proofpoint logs have multiple filters with multiple final actions and the logs don't have a absolutely final action or "delivered" or "not delivered" status in the message log. So I have to correlate a qid field from the message logs to the mta logs and check there if the email was sent... thank you everyone for you help.

Re: How to search for the latest field value that is not equal to a certain value?

Glasses — Fri, 13 Sep 2019 13:16:07 GMT

Thank you for the answer. This is a good example for blacklisting.