https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-of-latest-event-when-events-have-same/m-p/597626#M208078 <P>Hello Splunkers - I am struggling to create a table that shows distinct events that sometimes have the same timestamp:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="12.5%" height="25px">_time</TD> <TD width="12.5%" height="25px">vulnerability</TD> <TD width="12.5%" height="25px">asset</TD> <TD width="12.5%" height="25px">ipAddress</TD> <TD width="12.5%" height="25px">vendor</TD> <TD width="12.5%" height="25px">cvssScore</TD> <TD width="12.5%" height="25px">lastFound</TD> <TD width="12.5%" height="25px">supportContact</TD> </TR> <TR> <TD width="12.5%" height="69px"><SPAN>2022-05-12 05:23:24</SPAN></TD> <TD width="12.5%" height="69px"><FONT color="#000000">CVE-2022-1234</FONT></TD> <TD width="12.5%" height="69px">host1</TD> <TD width="12.5%" height="69px">ip1</TD> <TD width="12.5%" height="69px">vendor1</TD> <TD width="12.5%" height="69px">score1</TD> <TD width="12.5%" height="69px">2022-05-12</TD> <TD width="12.5%" height="69px">support1</TD> </TR> <TR> <TD width="12.5%" height="69px"><FONT color="#000000"><SPAN>2022-05-12 05:23:24</SPAN></FONT></TD> <TD width="12.5%" height="69px"><FONT color="#000000">CVE-2021-5678</FONT></TD> <TD width="12.5%" height="69px">host2</TD> <TD width="12.5%" height="69px">ip2</TD> <TD width="12.5%" height="69px">vendor2</TD> <TD width="12.5%" height="69px">score2</TD> <TD width="12.5%" height="69px">2022-05-12</TD> <TD width="12.5%" height="69px">support2</TD> </TR> <TR> <TD><FONT color="#000000"><SPAN>2022-05-12 05:23:24</SPAN></FONT></TD> <TD><FONT color="#000000">CVE-2016-1234</FONT></TD> <TD>host3</TD> <TD>ip3</TD> <TD>vendor3</TD> <TD>score3</TD> <TD>2022-05-12</TD> <TD>support3</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I can't find the right way to search these events so that all distinct events show. Based on one of the many answers I read here, I've tried using eventstats, but it's not working as I'd hoped. Here's the query:<BR /><BR /><FONT face="courier new,courier">| eventstats latest(_time) as lastFound | where lastFound=_time</FONT><BR /><FONT face="courier new,courier">| table _time, vulnerability, asset, ipAddress, vendor, cvssScore, lastFound, supportContact</FONT><BR /><BR />When I run this I get a table with the latest events by _time, but it does not take into account that there are different values in the other fields. So instead of the 5,000 events I'm expecting, I get a few hundred.</P> <TABLE border="1"> <TBODY> <TR> <TD width="12.5%">_time</TD> <TD width="12.5%">vulnerability</TD> <TD width="12.5%">asset</TD> <TD width="12.5%">ipAddress</TD> <TD width="12.5%">vendor</TD> <TD width="12.5%">cvssScore</TD> <TD width="12.5%">lastFound</TD> <TD width="12.5%">supportContact</TD> </TR> <TR> <TD width="12.5%"><SPAN>2022-05-12 05:23:24</SPAN></TD> <TD width="12.5%">CVE-2022-1234</TD> <TD width="12.5%">host1</TD> <TD width="12.5%">ip1</TD> <TD width="12.5%">vendor1</TD> <TD width="12.5%">score1</TD> <TD width="12.5%">lastFoundTime</TD> <TD width="12.5%">support1</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>What am I doing wrong?</P> Thu, 12 May 2022 16:31:12 GMT mistydennis 2022-05-12T16:31:12Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-of-latest-event-when-events-have-same/m-p/597626#M208078 <P>Hello Splunkers - I am struggling to create a table that shows distinct events that sometimes have the same timestamp:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="12.5%" height="25px">_time</TD> <TD width="12.5%" height="25px">vulnerability</TD> <TD width="12.5%" height="25px">asset</TD> <TD width="12.5%" height="25px">ipAddress</TD> <TD width="12.5%" height="25px">vendor</TD> <TD width="12.5%" height="25px">cvssScore</TD> <TD width="12.5%" height="25px">lastFound</TD> <TD width="12.5%" height="25px">supportContact</TD> </TR> <TR> <TD width="12.5%" height="69px"><SPAN>2022-05-12 05:23:24</SPAN></TD> <TD width="12.5%" height="69px"><FONT color="#000000">CVE-2022-1234</FONT></TD> <TD width="12.5%" height="69px">host1</TD> <TD width="12.5%" height="69px">ip1</TD> <TD width="12.5%" height="69px">vendor1</TD> <TD width="12.5%" height="69px">score1</TD> <TD width="12.5%" height="69px">2022-05-12</TD> <TD width="12.5%" height="69px">support1</TD> </TR> <TR> <TD width="12.5%" height="69px"><FONT color="#000000"><SPAN>2022-05-12 05:23:24</SPAN></FONT></TD> <TD width="12.5%" height="69px"><FONT color="#000000">CVE-2021-5678</FONT></TD> <TD width="12.5%" height="69px">host2</TD> <TD width="12.5%" height="69px">ip2</TD> <TD width="12.5%" height="69px">vendor2</TD> <TD width="12.5%" height="69px">score2</TD> <TD width="12.5%" height="69px">2022-05-12</TD> <TD width="12.5%" height="69px">support2</TD> </TR> <TR> <TD><FONT color="#000000"><SPAN>2022-05-12 05:23:24</SPAN></FONT></TD> <TD><FONT color="#000000">CVE-2016-1234</FONT></TD> <TD>host3</TD> <TD>ip3</TD> <TD>vendor3</TD> <TD>score3</TD> <TD>2022-05-12</TD> <TD>support3</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I can't find the right way to search these events so that all distinct events show. Based on one of the many answers I read here, I've tried using eventstats, but it's not working as I'd hoped. Here's the query:<BR /><BR /><FONT face="courier new,courier">| eventstats latest(_time) as lastFound | where lastFound=_time</FONT><BR /><FONT face="courier new,courier">| table _time, vulnerability, asset, ipAddress, vendor, cvssScore, lastFound, supportContact</FONT><BR /><BR />When I run this I get a table with the latest events by _time, but it does not take into account that there are different values in the other fields. So instead of the 5,000 events I'm expecting, I get a few hundred.</P> <TABLE border="1"> <TBODY> <TR> <TD width="12.5%">_time</TD> <TD width="12.5%">vulnerability</TD> <TD width="12.5%">asset</TD> <TD width="12.5%">ipAddress</TD> <TD width="12.5%">vendor</TD> <TD width="12.5%">cvssScore</TD> <TD width="12.5%">lastFound</TD> <TD width="12.5%">supportContact</TD> </TR> <TR> <TD width="12.5%"><SPAN>2022-05-12 05:23:24</SPAN></TD> <TD width="12.5%">CVE-2022-1234</TD> <TD width="12.5%">host1</TD> <TD width="12.5%">ip1</TD> <TD width="12.5%">vendor1</TD> <TD width="12.5%">score1</TD> <TD width="12.5%">lastFoundTime</TD> <TD width="12.5%">support1</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>What am I doing wrong?</P> Thu, 12 May 2022 16:31:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-of-latest-event-when-events-have-same/m-p/597626#M208078 mistydennis 2022-05-12T16:31:12Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-of-latest-event-when-events-have-same/m-p/597639#M208084 <P>Your eventstats is not taking the different values of the fields into account</P><LI-CODE lang="markup">| eventstats latest(_time) as lastFound by vulnerability, asset, ipAddress, vendor, cvssScore, supportContact | where lastFound=_time | table _time, vulnerability, asset, ipAddress, vendor, cvssScore, lastFound, supportContact</LI-CODE> Thu, 12 May 2022 16:30:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-of-latest-event-when-events-have-same/m-p/597639#M208084 ITWhisperer 2022-05-12T16:30:43Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-of-latest-event-when-events-have-same/m-p/597673#M208094 <P>That did the trick! I had a feeling I was missing something basic, thank you very much!&nbsp;&nbsp;<BR /><BR />Can you tell me the difference between using eventstats latest vs. stats latest in this particular case? I can see that it adjusts the number of events I receive, but I'm not sure <EM>why</EM>.</P> Thu, 12 May 2022 18:31:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-of-latest-event-when-events-have-same/m-p/597673#M208094 mistydennis 2022-05-12T18:31:25Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-of-latest-event-when-events-have-same/m-p/597674#M208095 <P>Eventstats will add fields to the events in the pipeline without removing any events - stats will replace all the events in the pipeline with events with the aggregated values.</P> Thu, 12 May 2022 18:34:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-of-latest-event-when-events-have-same/m-p/597674#M208095 ITWhisperer 2022-05-12T18:34:01Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-of-latest-event-when-events-have-same/m-p/597675#M208096 <P>Makes sense, thanks again!</P> Thu, 12 May 2022 18:36:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-table-of-latest-event-when-events-have-same/m-p/597675#M208096 mistydennis 2022-05-12T18:36:43Z