https://community.splunk.com/t5/Security/Error-message-domain-needs-min-and-max-fields/m-p/369758#M12863 <P>Hi </P> <P>I have run the following search ( Endpoint - Malware Daily Count - Context Gen) verified from a couple of different sources, and get the above mentioned error message....any advice?</P> <PRE><CODE>| tstats `summariesonly` dc(Malware_Attacks.signature) as infection_count from datamodel=Malware.Malware_Attacks where earliest=-31d@d latest=-1d@d Malware_Attacks.action=allowed by Malware_Attacks.dest,_time span=1d | stats sum(infection_count) as total_infection_count by _time | stats count,median(total_infection_count) as median by _time | eval min=0 | eval max=median*2 | xsCreateDDContext name=count_1d container=malware type=domain terms="minimal,small,medium,large,extreme" scope=app app=SA-NetworkProtection | stats count </CODE></PRE> Fri, 29 Sep 2017 15:46:02 GMT frizzoS3 2017-09-29T15:46:02Z https://community.splunk.com/t5/Security/Error-message-domain-needs-min-and-max-fields/m-p/369758#M12863 <P>Hi </P> <P>I have run the following search ( Endpoint - Malware Daily Count - Context Gen) verified from a couple of different sources, and get the above mentioned error message....any advice?</P> <PRE><CODE>| tstats `summariesonly` dc(Malware_Attacks.signature) as infection_count from datamodel=Malware.Malware_Attacks where earliest=-31d@d latest=-1d@d Malware_Attacks.action=allowed by Malware_Attacks.dest,_time span=1d | stats sum(infection_count) as total_infection_count by _time | stats count,median(total_infection_count) as median by _time | eval min=0 | eval max=median*2 | xsCreateDDContext name=count_1d container=malware type=domain terms="minimal,small,medium,large,extreme" scope=app app=SA-NetworkProtection | stats count </CODE></PRE> Fri, 29 Sep 2017 15:46:02 GMT https://community.splunk.com/t5/Security/Error-message-domain-needs-min-and-max-fields/m-p/369758#M12863 frizzoS3 2017-09-29T15:46:02Z https://community.splunk.com/t5/Security/Error-message-domain-needs-min-and-max-fields/m-p/369759#M12864 <P>I imagine you are not getting any results from the base search. so there are no "events" going into the chained stats, so the evals have nothing to add to. Thus you have empty results going tiny the CreateDD command.</P> Fri, 29 Sep 2017 16:56:40 GMT https://community.splunk.com/t5/Security/Error-message-domain-needs-min-and-max-fields/m-p/369759#M12864 starcher 2017-09-29T16:56:40Z https://community.splunk.com/t5/Security/Error-message-domain-needs-min-and-max-fields/m-p/369760#M12865 <P>@frizzoS3 - This answer by @starcher seems correct. To test that, run this and see if there are any results...</P> <PRE><CODE>| tstats `summariesonly` dc(Malware_Attacks.signature) as infection_count from datamodel=Malware.Malware_Attacks where earliest=-31d@d latest=-1d@d Malware_Attacks.action=allowed by Malware_Attacks.dest,_time span=1d | head 5 </CODE></PRE> Fri, 29 Sep 2017 17:24:28 GMT https://community.splunk.com/t5/Security/Error-message-domain-needs-min-and-max-fields/m-p/369760#M12865 DalJeanis 2017-09-29T17:24:28Z