I am trying to use the latest "Value" from the last Added/Updated Registry Key but however it took in the oldest result instead... How do I fix this?
My query:
index="winauto"
| eval _time = strftime(_time,"%d-%m-%y %H:%M:%S")
| where (registry_type="SetValue" AND data!="") OR registry_type="DeleteKey"
| eval Data=if(data="", "NA", data)
| eventstats last(Data) as latestdata by key_path
| eval Data=if(Data="NA", latestdata, Data)
| eval Action=if(registry_type="SetValue", "Added/Updated Registry Key", "Removed Registry Key")
| where Data != "NA"
| table _time, Action, key_path, Data
| rename key_path AS "Key" Data AS "Value" _time AS "Time"
My intended result should be "TestData oh" in the first row but however it took in the oldest data which is "TestData"
If you want to return only the most recent event matching a given search, you can do this:
base search | head 1
This will always return a single event; because Splunk returns events in reverse-chronological order, the head
command will return the most recent one. So in your case, if you wanted to find the most recent event where action="Added/Updated Registry Key"
, then the search would look like this:
action="Added/Updated Registry Key" | head 1
try using stats command with latest and earliest option
Refer this doc
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Stats#Event_order_functions
Let me know if it works
Not sure how it would work since I am not sure where to edit in my query. Will be editing my post and add in the query I've used.