Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I use the latest/newest value to be used as a value?

Kitteh
Path Finder
‎11-09-2017 12:03 AM

I am trying to use the latest "Value" from the last Added/Updated Registry Key but however it took in the oldest result instead... How do I fix this?

My query:
index="winauto"
| eval _time = strftime(_time,"%d-%m-%y %H:%M:%S")
| where (registry_type="SetValue" AND data!="") OR registry_type="DeleteKey"
| eval Data=if(data="", "NA", data)
| eventstats last(Data) as latestdata by key_path
| eval Data=if(Data="NA", latestdata, Data)
| eval Action=if(registry_type="SetValue", "Added/Updated Registry Key", "Removed Registry Key")
| where Data != "NA"
| table _time, Action, key_path, Data
| rename key_path AS "Key" Data AS "Value" _time AS "Time"

My intended result should be "TestData oh" in the first row but however it took in the oldest data which is "TestData"
alt text

Tags (2)
Preview file
32 KB
0 Karma
Reply

elliotproebstel
Champion
‎11-09-2017 05:36 AM

If you want to return only the most recent event matching a given search, you can do this:
base search | head 1

This will always return a single event; because Splunk returns events in reverse-chronological order, the head command will return the most recent one. So in your case, if you wanted to find the most recent event where action="Added/Updated Registry Key", then the search would look like this:

action="Added/Updated Registry Key" | head 1

0 Karma
Reply

mayurr98
Super Champion
‎11-09-2017 01:17 AM

try using stats command with latest and earliest option

Refer this doc
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Stats#Event_order_functions

Let me know if it works

Reply

Kitteh
Path Finder
‎11-09-2017 05:10 PM

Not sure how it would work since I am not sure where to edit in my query. Will be editing my post and add in the query I've used.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...