Splunk Search

How do I use the latest/newest value to be used as a value?

Path Finder

I am trying to use the latest "Value" from the last Added/Updated Registry Key but however it took in the oldest result instead... How do I fix this?

My query:
| eval time = strftime(time,"%d-%m-%y %H:%M:%S")
| where (registrytype="SetValue" AND data!="") OR registrytype="DeleteKey"
| eval Data=if(data="", "NA", data)
| eventstats last(Data) as latestdata by keypath
| eval Data=if(Data="NA", latestdata, Data)
| eval Action=if(registry
type="SetValue", "Added/Updated Registry Key", "Removed Registry Key")
| where Data != "NA"
| table time, Action, keypath, Data
| rename key_path AS "Key" Data AS "Value" _time AS "Time"

My intended result should be "TestData oh" in the first row but however it took in the oldest data which is "TestData"
alt text

Tags (2)
0 Karma

If you want to return only the most recent event matching a given search, you can do this:
base search | head 1

This will always return a single event; because Splunk returns events in reverse-chronological order, the head command will return the most recent one. So in your case, if you wanted to find the most recent event where action="Added/Updated Registry Key", then the search would look like this:

action="Added/Updated Registry Key" | head 1

0 Karma


try using stats command with latest and earliest option

Refer this doc

Let me know if it works

Path Finder

Not sure how it would work since I am not sure where to edit in my query. Will be editing my post and add in the query I've used.

0 Karma