Splunk Search

How do I use the latest/newest value to be used as a value?

Kitteh
Path Finder

I am trying to use the latest "Value" from the last Added/Updated Registry Key but however it took in the oldest result instead... How do I fix this?

My query:
index="winauto"
| eval _time = strftime(_time,"%d-%m-%y %H:%M:%S")
| where (registry_type="SetValue" AND data!="") OR registry_type="DeleteKey"
| eval Data=if(data="", "NA", data)
| eventstats last(Data) as latestdata by key_path
| eval Data=if(Data="NA", latestdata, Data)
| eval Action=if(registry_type="SetValue", "Added/Updated Registry Key", "Removed Registry Key")
| where Data != "NA"
| table _time, Action, key_path, Data
| rename key_path AS "Key" Data AS "Value" _time AS "Time"

My intended result should be "TestData oh" in the first row but however it took in the oldest data which is "TestData"
alt text

Tags (2)
0 Karma

elliotproebstel
Champion

If you want to return only the most recent event matching a given search, you can do this:
base search | head 1

This will always return a single event; because Splunk returns events in reverse-chronological order, the head command will return the most recent one. So in your case, if you wanted to find the most recent event where action="Added/Updated Registry Key", then the search would look like this:

action="Added/Updated Registry Key" | head 1

0 Karma

mayurr98
Super Champion

try using stats command with latest and earliest option

Refer this doc
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Stats#Event_order_functions

Let me know if it works

Kitteh
Path Finder

Not sure how it would work since I am not sure where to edit in my query. Will be editing my post and add in the query I've used.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...