How do I use the latest/newest value to be used as...

Kitteh · ‎11-09-2017

I am trying to use the latest "Value" from the last Added/Updated Registry Key but however it took in the oldest result instead... How do I fix this?

My query:
index="winauto"
| eval _time = strftime(_time,"%d-%m-%y %H:%M:%S")
| where (registry_type="SetValue" AND data!="") OR registry_type="DeleteKey"
| eval Data=if(data="", "NA", data)
| eventstats last(Data) as latestdata by key_path
| eval Data=if(Data="NA", latestdata, Data)
| eval Action=if(registry_type="SetValue", "Added/Updated Registry Key", "Removed Registry Key")
| where Data != "NA"
| table _time, Action, key_path, Data
| rename key_path AS "Key" Data AS "Value" _time AS "Time"

My intended result should be "TestData oh" in the first row but however it took in the oldest data which is "TestData"

elliotproebstel · ‎11-09-2017

If you want to return only the most recent event matching a given search, you can do this:
base search | head 1

This will always return a single event; because Splunk returns events in reverse-chronological order, the head command will return the most recent one. So in your case, if you wanted to find the most recent event where action="Added/Updated Registry Key", then the search would look like this:

action="Added/Updated Registry Key" | head 1

mayurr98 · ‎11-09-2017

try using stats command with latest and earliest option

Refer this doc
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Stats#Event_order_functions

Let me know if it works

Kitteh · ‎11-09-2017

Not sure how it would work since I am not sure where to edit in my query. Will be editing my post and add in the query I've used.

How do I use the latest/newest value to be used as a value?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!