Splunk Search

How do I use the latest/newest value to be used as a value?

Kitteh
Path Finder

I am trying to use the latest "Value" from the last Added/Updated Registry Key but however it took in the oldest result instead... How do I fix this?

My query:
index="winauto"
| eval _time = strftime(_time,"%d-%m-%y %H:%M:%S")
| where (registry_type="SetValue" AND data!="") OR registry_type="DeleteKey"
| eval Data=if(data="", "NA", data)
| eventstats last(Data) as latestdata by key_path
| eval Data=if(Data="NA", latestdata, Data)
| eval Action=if(registry_type="SetValue", "Added/Updated Registry Key", "Removed Registry Key")
| where Data != "NA"
| table _time, Action, key_path, Data
| rename key_path AS "Key" Data AS "Value" _time AS "Time"

My intended result should be "TestData oh" in the first row but however it took in the oldest data which is "TestData"
alt text

Tags (2)
0 Karma

elliotproebstel
Champion

If you want to return only the most recent event matching a given search, you can do this:
base search | head 1

This will always return a single event; because Splunk returns events in reverse-chronological order, the head command will return the most recent one. So in your case, if you wanted to find the most recent event where action="Added/Updated Registry Key", then the search would look like this:

action="Added/Updated Registry Key" | head 1

0 Karma

mayurr98
Super Champion

try using stats command with latest and earliest option

Refer this doc
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Stats#Event_order_functions

Let me know if it works

Kitteh
Path Finder

Not sure how it would work since I am not sure where to edit in my query. Will be editing my post and add in the query I've used.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...