Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get the last _raw events - JSON file

rafamss
Contributor
‎12-11-2020 11:00 AM

Hi crew,

I have a JSON file from Vulnerability services generated one time per hour, and I just needed to get the last _raw event. How is it possible? I want to show the data from the last 7 or 15 days using this condiction.

rafamss_0-1607713061316.png

 

 

 

| rename Issues{}.details AS details Issues{}.file AS file Issues{}.severity AS severity Issues{}.confidence AS confidence Issues{}.line AS line
| eval tempField=mvzip(mvzip(mvzip(mvzip(details, file), severity), confidence), line)
| stats count by _time, service, source, tempField
| eval details=mvindex(split(tempField,","),0), file=mvindex(split(tempField,","),1), severity=mvindex(split(tempField,","),2), confidence=mvindex(split(tempField,","),3), line=mvindex(split(tempField, ","),4)
| stats max(_time) AS latest, count AS Issues by _time, severity
| sort - _time

 

 

 

Labels (1)
Labels
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rafamss
Contributor
‎12-18-2020 11:24 AM

Well, crew! Splunk showed the two latest events, so I followed a tip to send these events to a lookup table and use this lookup table to transform and present the data! It's working fine and with good performance. Thank you all.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rafamss
Contributor
‎12-18-2020 11:24 AM

Well, crew! Splunk showed the two latest events, so I followed a tip to send these events to a lookup table and use this lookup table to transform and present the data! It's working fine and with good performance. Thank you all.

0 Karma
Reply
Solved! Jump to solution

dmarling
Builder
‎12-14-2020 05:41 AM

If you just want the latest _raw value in a time period you can just use latest(_raw) in your stats.  Here's an example:

 

| rename Issues{}.details AS details Issues{}.file AS file Issues{}.severity AS severity Issues{}.confidence AS confidence Issues{}.line AS line
| eval tempField=mvzip(mvzip(mvzip(mvzip(details, file), severity), confidence), line)
| stats count latest(_raw) as example by _time, service, source, tempField
| eval details=mvindex(split(tempField,","),0), file=mvindex(split(tempField,","),1), severity=mvindex(split(tempField,","),2), confidence=mvindex(split(tempField,","),3), line=mvindex(split(tempField, ","),4)
| stats max(_time) AS latest, count AS Issues latest(example) as example by _time, severity
| sort - _time
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎12-12-2020 03:45 AM

Your question is not totally clear, but I wonder if you mean "Can I also display the vulnerability details"?

In which case you could try replacing the last stats with:

| stats max(_time) AS latest, count AS Issues by _time, severity, details

 

or 

| stats max(_time) AS latest, count AS Issues by _time, severity, details, file, line

if you want all the fields 

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎12-12-2020 02:10 AM

What's _raw event?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...