Solved: Re: Query Logs with the latest time

mursidehsani · ‎11-05-2024

I have this query

is not mapped to ink name
| rex "(?<time>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}).*Ink Type '(?<ink_type>[^']+)'"
| sort - time
| table time ink_type

that will have this result

I want the result to be just the latest log date. In this case it will only show the top 3. And when new logs comes in, then it will show that new logs only

gcusello · ‎11-05-2024

Hi @mursidehsani,

please try this:

<your_search>
| rex "(?<time>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}).*Ink Type '(?<ink_type>[^']+)'"
| stats values(ink_type) AS ink_type BY time
| sort - time
| head 1
| mvexpand ink_type

Ciao.

Giuseppe

View solution in original post

gcusello · ‎11-05-2024

Hi @mursidehsani,

please try this:

<your_search>
| rex "(?<time>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}).*Ink Type '(?<ink_type>[^']+)'"
| stats values(ink_type) AS ink_type BY time
| sort - time
| head 1
| mvexpand ink_type

Ciao.

Giuseppe

mursidehsani · ‎11-05-2024

Hi @gcusello

It works! Thank you so much for your help.

gcusello · ‎11-05-2024

Hi @mursidehsani ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Query Logs with the latest time

table

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?