Dashboards & Visualizations

Get the last _raw events - JSON file

rafamss
Contributor

Hi crew,

I have a JSON file from Vulnerability services generated one time per hour, and I just needed to get the last _raw event. How is it possible? I want to show the data from the last 7 or 15 days using this condiction.

rafamss_0-1607713061316.png

 

 

 

| rename Issues{}.details AS details Issues{}.file AS file Issues{}.severity AS severity Issues{}.confidence AS confidence Issues{}.line AS line
| eval tempField=mvzip(mvzip(mvzip(mvzip(details, file), severity), confidence), line)
| stats count by _time, service, source, tempField
| eval details=mvindex(split(tempField,","),0), file=mvindex(split(tempField,","),1), severity=mvindex(split(tempField,","),2), confidence=mvindex(split(tempField,","),3), line=mvindex(split(tempField, ","),4)
| stats max(_time) AS latest, count AS Issues by _time, severity
| sort - _time

 

 

 

Labels (1)
Tags (4)
0 Karma
1 Solution

rafamss
Contributor

Well, crew! Splunk showed the two latest events, so I followed a tip to send these events to a lookup table and use this lookup table to transform and present the data! It's working fine and with good performance. Thank you all.

View solution in original post

0 Karma

rafamss
Contributor

Well, crew! Splunk showed the two latest events, so I followed a tip to send these events to a lookup table and use this lookup table to transform and present the data! It's working fine and with good performance. Thank you all.

View solution in original post

0 Karma

dmarling
Builder

If you just want the latest _raw value in a time period you can just use latest(_raw) in your stats.  Here's an example:

 

| rename Issues{}.details AS details Issues{}.file AS file Issues{}.severity AS severity Issues{}.confidence AS confidence Issues{}.line AS line
| eval tempField=mvzip(mvzip(mvzip(mvzip(details, file), severity), confidence), line)
| stats count latest(_raw) as example by _time, service, source, tempField
| eval details=mvindex(split(tempField,","),0), file=mvindex(split(tempField,","),1), severity=mvindex(split(tempField,","),2), confidence=mvindex(split(tempField,","),3), line=mvindex(split(tempField, ","),4)
| stats max(_time) AS latest, count AS Issues latest(example) as example by _time, severity
| sort - _time
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma

nickhills
Ultra Champion

Your question is not totally clear, but I wonder if you mean "Can I also display the vulnerability details"?

In which case you could try replacing the last stats with:

| stats max(_time) AS latest, count AS Issues by _time, severity, details

 

or 

| stats max(_time) AS latest, count AS Issues by _time, severity, details, file, line

if you want all the fields 

If my comment helps, please give it a thumbs up!
0 Karma

to4kawa
SplunkTrust
SplunkTrust

What's _raw event?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!