Splunk Search

Finding most recent event by host

anuremanan88
Explorer

We are collecting logs from McAfee and Splunk pulls information for each host every 1 Hr. The logs have two fields host and LastUpdateTime. I need to get the most recent event for each host using the LastUpdateTime without losing any other fields. Please help me in writing a query for this.

Tags (1)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi
Can you please try this?

YOUR_SEARCH |eval LastUpdateTimeEpoch=strptime(LastUpdateTime,"%Y-%m-%d %H:%M:%S") | sort - LastUpdateTimeEpoch | dedup host

DalJeanis
Legend

@kamlesh_vaghela - change that to | sort - LastUpdateTimeEpoch |dedup host and you have it.

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @DalJeanis,

Perfect!!

0 Karma

cmerriman
Super Champion

What format is LastUpdateTime in?
Try something like

|convert mktime(LastUpdateTime) as LastUpdateTimeEpoch timeformat="%Y-%m-%d %H:%M:%S"| stats max(LastUpdateTimeEpoch) as LastUpdateTimeEpoch by host |eval LastUpdateTime=strftime(LastUpdateTimeEpoch,"%Y-%m-%d %H:%M:%S")

Except change the time format to suit your needs. You can also use an |eval LastUpdateTimeEpoch=strptime(LastUpdateTime,"%Y-%m-%d %H:%M:%S") instead of convert

anuremanan88
Explorer

Using stats will remove other fields present in the event. Is there a way to keep the other fields also

0 Karma

cmerriman
Super Champion

you can do ...|stats values(*) as * max(LastUpdateTimeEpoch) as LastUpdateTimeEpoch by host |eval LastUpdateTime=strftime(LastUpdateTimeEpoch,"%Y-%m-%d %H:%M:%S")

0 Karma

niketn
Legend

@anuremanan88, Try the following

<YourBaseSearch>
| dedup host
| table *

Refer to Splunk documentation of dedup command: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dedup

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

anuremanan88
Explorer

I need to get the most recent event using the field LastUpdateTime field for each host. dedup wont work here.

0 Karma

niketn
Legend

Can you add some sample data for your field?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...