Solved: Re: How do I locate the latest event and have all ...

smaloney99 · ‎06-11-2016

I am using the following query to locate the latest event with the field EVENTREF = 50184 or 50185. I believe the correct event is being returned by the stats command but it is not returning all the fields in the returned event for reporting purposes.

Any suggestions?

EVENTREF=50184 OR EVENTREF=50185 | stats latest(EVENTREF) as LatestEvent by TVMREF

richgalloway · ‎06-11-2016

Try this

EVENTREF=50184 OR EVENTREF=50185 | stats latest(EVENTREF) as LatestEvent, values(EVENTREF) as Events by TVMREF

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-11-2016

Try this

EVENTREF=50184 OR EVENTREF=50185 | stats latest(EVENTREF) as LatestEvent, values(EVENTREF) as Events by TVMREF

---
If this reply helps you, Karma would be appreciated.

smaloney99 · ‎06-11-2016

Thank you! Using 'values' for any field I'd like to access is doing the trick.

richgalloway · ‎06-13-2016

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.

How do I locate the latest event and have all the fields in that event available to me?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7