From 4185fb01af952e25e29a0e8ba697262172e8a76e Mon Sep 17 00:00:00 2001
From: Tony Phipps <anthony.james.phipps@gmail.com>
Date: Thu, 30 Nov 2023 16:46:59 -0700
Subject: [PATCH] Find Unique Events (or Newly Observed as Alert

---
 Products/splunk.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Products/splunk.md b/Products/splunk.md
index 3ebe44b..8d34d22 100644
--- a/Products/splunk.md
+++ b/Products/splunk.md
@@ -254,6 +254,16 @@ Check the latest 7 days for logs, then review the last one day. If a log source
 | table title description disabled is_scheduled search cron_schedule actions action.email action.email.to action.email.message.alert alert.expires alert.severity alert.suppress alert.suppress.period alert_comparator alert_condition alert_threshold alert_type allow_skew display.events.fields eai:acl.sharing eai:acl.perms.read eai:acl.perms.write id
 ```
 
+## Find Unique Events (or Newly Observed as Alert)
+If ran as an alert, will find "Newly Observed" events. If used in a widget or report, will show unique events.
+```
+index="something"
+| eval _time = strptime(DateScanned, "%Y-%m-%d %T%Z")
+| eventstats max(_time) as last_seen min(_time) as first_seen by host, ProcessName
+|  where last_seen == first_seen
+```
+
+
 ## Rex Magic
 
 ### Derive the Application Logs within Linux:Messages