Splunk Search

How to get the last value from a previous event filtered by host?

goodsellt
Contributor

My problem stems from how the last value functions, where it pulls the last value from the previous event. While I want it to do that, I also want to have the events filtered by another value (ex: multiple hosts have events in the system, I want the last value that each event pulls for calculation to be from the same host).

To explain how I've gotten to this point:
I'm looking at a series of data which indicates whether or not a drive is encrypted on a specific machine. The data comes in as the following:

Time;client1;volume1;Y (encryption status yes or no)
Time;client1;volume2;Y 
Time;client2;volumn1;N 
....

I use the transaction command so that all the events are grouped by client, however, it is spanned since these checks are run as a batch job at a set interval and I wish to know if the encryption status has changed since the last check.

Data after transaction:

Time;client1;volume1,volume2;Y,Y
Time;client2;volume1;N

I then insert a surrogate variable which says whether or not all drives on the system are encrypted (So I do not need to work with a multi value field).

At the end of the day I can get something like:

Time1;client1;volume1,volume2;Y,Y;1 (1 for full encryption, 0 if not)
Time1;client2;volume1;N;0
Time2;client1,volume1,volume2;Y,Y;1
Time2,client2,volume1;Y;1
...

I'm unable to figure out a successful way to use the last function so that I can grab the last value from a specific client at a different time instead of just the value of the client which was listed just before it at the same time.

I attempted sorting by client then using it with no success.
Would you all recommend I try doing another transaction (this where the span length is much larger or even infinite)?
Is there a special way to use the event stats command do perform this kind of action?

After doing some research, it seems like a lot of the solutions revolve around filtering out all the data apart from a specific client and doing it, however, my end goal involves creating a chart which can show the trend of the number of machines becoming fully encrypted or the number of machines where the drives are being unencrypted, so I'm trying to include all machines in this dataset.

Thanks for any guidance anyone can provide.

0 Karma
1 Solution

goodsellt
Contributor

Just posting this to let everyone know I did find a solution to this issue.

I did end up just doing a double transaction, and while is slows down the query quite a bit it was effective for what I was trying to do.

View solution in original post

0 Karma

goodsellt
Contributor

Just posting this to let everyone know I did find a solution to this issue.

I did end up just doing a double transaction, and while is slows down the query quite a bit it was effective for what I was trying to do.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...