Hi crew, I have a JSON file from Vulnerability services generated one time per hour, and I just needed to get the last _raw event. How is it possible? I want to show the data from the last 7 or 15 days using this condiction.       | rename Issues{}.details AS details Issues{}.file AS file Issues{}.severity AS severity Issues{}.confidence AS confidence Issues{}.line AS line | eval tempField=mvzip(mvzip(mvzip(mvzip(details, file), severity), confidence), line) | stats count by _time, service, source, tempField | eval details=mvindex(split(tempField,","),0), file=mvindex(split(tempField,","),1), severity=mvindex(split(tempField,","),2), confidence=mvindex(split(tempField,","),3), line=mvindex(split(tempField, ","),4) | stats max(_time) AS latest, count AS Issues by _time, severity | sort - _time       ... View more

Hello everyone, I'm using the SPL to get credit card numbers on search time (I would like to maintain this on search time) :     | rex field=_raw "(?<firstStep_CC>(?:\d[ -]*?){13,30})" | eval secondStep_CC=replace(firstStep_CC, "\-|\s|\.", "") | rex field=secondStep_CC "(?<creditcard>^4[0-9]{12}(?:[0-9]{3})?)|(^5[1-5][0-9]{14})|(^6(?:011|5[0-9][0-9])[0-9]{12})|(^3[47][0-9]{13})|(^3(?:0[0-5]|[68][0-9])[0-9]{11})|((?:2131|1800|35\d{3})\d{11})"     With this SPL I get possible credit card numbers, but invalid numbers as well. Do you need a way to get only valid numbers? I thought to split each digit from creditcard and do a mod10 verification, but I don't know if it's efficient. I read a lot of posts like these: https://community.splunk.com/t5/All-Apps-and-Add-ons/TA-luhn-How-to-use-the-luhn-command-and-how-to-apply-a-regex-to/m-p/221518 https://wiki.splunk.com/Community:Credit_card_masking_regex Tks! ... View more