Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find the latest event per device

JandrevdM
Path Finder
‎10-03-2024 01:00 AM

Good day,

I am trying to find the latest event for my virtual machines to determine if they are still active or decommissioned. The object is the hostname and the command is where I can see if a device was deleted or just started. I will then afterwards add the command!="*DELETE"

index=db_azure_activity sourcetype=azure:monitor:activity  change_type="virtual machine"
| rename "identity.authorization.evidence.roleAssignmentScope" as subscription
| stats max(_time) as time by  command object subscription change_type resource_group
| convert ctime(time)
```| dedup object```
| table  change_type object resource_group subscription command time 
| sort object asc
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-03-2024 01:16 AM

Try something like this

index=db_azure_activity sourcetype=azure:monitor:activity  change_type="virtual machine"
| rename "identity.authorization.evidence.roleAssignmentScope" as subscription
| dedup object
| table  change_type object resource_group subscription command _time 
| sort object asc

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-03-2024 01:16 AM

Try something like this

index=db_azure_activity sourcetype=azure:monitor:activity  change_type="virtual machine"
| rename "identity.authorization.evidence.roleAssignmentScope" as subscription
| dedup object
| table  change_type object resource_group subscription command _time 
| sort object asc
Reply
Solved! Jump to solution

JandrevdM
Path Finder
‎10-03-2024 01:20 AM

Thanks! I initially got it right and then tried to think to deep into it. Forgot that if you dedup that splunk will take the latest event.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-03-2024 02:12 AM

Hi @JandrevdM ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-03-2024 01:12 AM

Hi @JandrevdM,

could you better describe your requirement?

using your search you have the last events for your grouping fields.

You could add a condition that the last event was before the observation period (e.g. before one day) so you'll have devices that didn't send logs in the last 1 day, is this your requirement?

if this is your requirement, you could use something like this:

index=db_azure_activity sourcetype=azure:monitor:activity  change_type="virtual machine"
| rename "identity.authorization.evidence.roleAssignmentScope" as subscription
| stats latest(_time) AS _time BY command object subscription change_type 
resource_group
| where _time<now()-86400
| table  change_type object resource_group subscription command _time 
| sort object asc

Ciao.

Giuseppe

 

Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...