Great update to the code @willi358. I do not have an environment with nessus data to test this out anymore but I'm sure this update will make the plugin_output field data that much more useful now. ... View more

I had the same issue with my Nessus scan data. I solved it using the streamstats command. The following search works for your example: yoursearch | streamstats first(scanID) as scanID_first by machine | eval recent=if(scanID=scanID_first,"yes","no") This will make your scan data look as follows: scanID machine fail scanID_first recent scanIDa machine1 fail1 scanIDa yes scanIDa machine1 fail2 scanIDa yes scanIDb machine1 fail1 scanIDa no scanIDb machine1 fail2 scanIDa no scanIDb machine1 fail3 scanIDa no scanIDc machine2 fail1 scanIDc yes scanIDc machine2 fail2 scanIDc yes scanIDc machine2 fail3 scanIDc yes scanIDd machine2 fail1 scanIDc no scanIDd machine2 fail3 scanIDc no scanIDe machine3 fail1 scanIDe yes scanIDf machine3 fail1 scanIDe no scanIDf machine3 fail2 scanIDe no Now you can search for recent="yes". My case was a little different. The name of the scan (the "name" field) did not change. However, the "scan_start" field (when the scan was started) was different for each scan run. I wanted to keep the scans with the latest value of scan_start. So I used this search: mysearch | streamstats first(scan_start) as scan_start_first by name | eval recent=if(scan_start=scan_start_first,"yes","no") ... View more