Splunk Search

How to display the latest event as a result?

kartm2020
Communicator

Search query :1
index="main" earliest=06/01/2019:00:00:00 latest=now | stats first(status) by src destination port
Search query : 2
index="main" earliest=06/01/2019:00:00:00 latest=now | stats latest(status) by src destination port
I have used first and latest command in stats.

There 2 status in the events like "STATE UP" and "STATE DOWN". I would like fetch the latest event with latest status field. But if i am searching the above query it is showing the both.(STATE UP and STATE DOWN). I would like display the latest either "status up or status down".
Someone help me to find the solution.
Current Results:
src destination port first(status)
XXX YYY 443 State DOWN
XXX YYY 443 State UP

0 Karma

kartm2020
Communicator

Hi Jacobevans,
Thank you for the query. But i am expecting the different results. In netscaler, The events will trigger when there is a status change from UP to DOWN or DOWN to UP. I would like to display the latest status with respect to source and destination. You query gives all the results which is not expected one

Example : I have 3 events
10/17/19 7:05 PM : Status was DOWN
10/17/19 7:06 PM : Status was UP
10/17/19 7:07 PM : Status was DOWN

expected out put should be the current status, Like below:
STATE was DOWN(Because this status is the latest)

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...