Find Unique Events (or Newly Observed as Alert

TonyPhipps · Nov 30, 2023 · 4185fb0 · 4185fb0
1 parent c4cf419
commit 4185fb0
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/Products/splunk.md b/Products/splunk.md
@@ -254,6 +254,16 @@ Check the latest 7 days for logs, then review the last one day. If a log source
 | table title description disabled is_scheduled search cron_schedule actions action.email action.email.to action.email.message.alert alert.expires alert.severity alert.suppress alert.suppress.period alert_comparator alert_condition alert_threshold alert_type allow_skew display.events.fields eai:acl.sharing eai:acl.perms.read eai:acl.perms.write id
 ```
 
+## Find Unique Events (or Newly Observed as Alert)
+If ran as an alert, will find "Newly Observed" events. If used in a widget or report, will show unique events.
+```
+index="something"
+| eval _time = strptime(DateScanned, "%Y-%m-%d %T%Z")
+| eventstats max(_time) as last_seen min(_time) as first_seen by host, ProcessName
+|  where last_seen == first_seen
+```
+
+
 ## Rex Magic
 
 ### Derive the Application Logs within Linux:Messages