Solved: How do I locate the latest event and have all the ...

smaloney99 · ‎06-11-2016

I am using the following query to locate the latest event with the field EVENTREF = 50184 or 50185. I believe the correct event is being returned by the stats command but it is not returning all the fields in the returned event for reporting purposes.

Any suggestions?

EVENTREF=50184 OR EVENTREF=50185 | stats latest(EVENTREF) as LatestEvent by TVMREF

richgalloway · ‎06-11-2016

Try this

EVENTREF=50184 OR EVENTREF=50185 | stats latest(EVENTREF) as LatestEvent, values(EVENTREF) as Events by TVMREF

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-11-2016

Try this

EVENTREF=50184 OR EVENTREF=50185 | stats latest(EVENTREF) as LatestEvent, values(EVENTREF) as Events by TVMREF

---
If this reply helps you, Karma would be appreciated.

smaloney99 · ‎06-11-2016

Thank you! Using 'values' for any field I'd like to access is doing the trick.

richgalloway · ‎06-13-2016

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.

How do I locate the latest event and have all the fields in that event available to me?

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!

What’s New in Splunk Cloud Platform 9.1.2308?