I am trying to use the latest "Value" from the last Added/Updated Registry Key but however it took in the oldest result instead... How do I fix this?
| eval time = strftime(time,"%d-%m-%y %H:%M:%S")
| where (registrytype="SetValue" AND data!="") OR registrytype="DeleteKey"
| eval Data=if(data="", "NA", data)
| eventstats last(Data) as latestdata by keypath
| eval Data=if(Data="NA", latestdata, Data)
| eval Action=if(registrytype="SetValue", "Added/Updated Registry Key", "Removed Registry Key")
| where Data != "NA"
| table time, Action, keypath, Data
| rename key_path AS "Key" Data AS "Value" _time AS "Time"
My intended result should be "TestData oh" in the first row but however it took in the oldest data which is "TestData"
If you want to return only the most recent event matching a given search, you can do this:
base search | head 1
This will always return a single event; because Splunk returns events in reverse-chronological order, the
head command will return the most recent one. So in your case, if you wanted to find the most recent event where
action="Added/Updated Registry Key", then the search would look like this:
action="Added/Updated Registry Key" | head 1