Splunk Search

How to get the last value from a previous event filtered by host?

goodsellt
Contributor

My problem stems from how the last value functions, where it pulls the last value from the previous event. While I want it to do that, I also want to have the events filtered by another value (ex: multiple hosts have events in the system, I want the last value that each event pulls for calculation to be from the same host).

To explain how I've gotten to this point:
I'm looking at a series of data which indicates whether or not a drive is encrypted on a specific machine. The data comes in as the following:

Time;client1;volume1;Y (encryption status yes or no)
Time;client1;volume2;Y 
Time;client2;volumn1;N 
....

I use the transaction command so that all the events are grouped by client, however, it is spanned since these checks are run as a batch job at a set interval and I wish to know if the encryption status has changed since the last check.

Data after transaction:

Time;client1;volume1,volume2;Y,Y
Time;client2;volume1;N

I then insert a surrogate variable which says whether or not all drives on the system are encrypted (So I do not need to work with a multi value field).

At the end of the day I can get something like:

Time1;client1;volume1,volume2;Y,Y;1 (1 for full encryption, 0 if not)
Time1;client2;volume1;N;0
Time2;client1,volume1,volume2;Y,Y;1
Time2,client2,volume1;Y;1
...

I'm unable to figure out a successful way to use the last function so that I can grab the last value from a specific client at a different time instead of just the value of the client which was listed just before it at the same time.

I attempted sorting by client then using it with no success.
Would you all recommend I try doing another transaction (this where the span length is much larger or even infinite)?
Is there a special way to use the event stats command do perform this kind of action?

After doing some research, it seems like a lot of the solutions revolve around filtering out all the data apart from a specific client and doing it, however, my end goal involves creating a chart which can show the trend of the number of machines becoming fully encrypted or the number of machines where the drives are being unencrypted, so I'm trying to include all machines in this dataset.

Thanks for any guidance anyone can provide.

0 Karma
1 Solution

goodsellt
Contributor

Just posting this to let everyone know I did find a solution to this issue.

I did end up just doing a double transaction, and while is slows down the query quite a bit it was effective for what I was trying to do.

View solution in original post

0 Karma

goodsellt
Contributor

Just posting this to let everyone know I did find a solution to this issue.

I did end up just doing a double transaction, and while is slows down the query quite a bit it was effective for what I was trying to do.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...