topic Re: help to filter data after a loadjob command in Splunk Search

help to filter data after a loadjob command

jip31 — Tue, 26 Nov 2019 06:51:19 GMT

hi
I use the scheduled search below

`winevent` (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND source="WinEventLog:Microsoft-Windows-Sysmon/Operational")
| fields host sourcetype source 
| stats dc(host) as host by sourcetype 
| sort -host

In my dashboard, I use a text box in order to be able to filter the results by host
So I call the scheduled search from my dashboard like this :
| loadjob savedsearch="admin:xxxxx:wineventbysourcetype"
| search host=$tok_filterhost$

The problem is that I can see my data but I am unable to filter by host
I succeed to filter by host if I put the stats command after the token filter :
| search host=$tok_filterhost$
| stats.....

But what I need is to keep the stats command in the scheduled search
so what is missing in my search please??

Re: help to filter data after a loadjob command

gcusello — Tue, 26 Nov 2019 12:08:25 GMT

Hi @jip31,
I tried something like your search
main search

index=wineventlog | head 3000

second search

| loadjob 1574769641.9641 | search NOT EventCode=4672 | stats count BY EventCode

and it's running!

Could you share the output of the loadjob command?

Ciao.
Giuseppe

Re: help to filter data after a loadjob command

jip31 — Tue, 26 Nov 2019 12:17:29 GMT

HI
like I said i am fonding a solution for thats working with stats in the search and not after loadjob
sorry no output for the loadjob command, I have just any results

Re: help to filter data after a loadjob command

gcusello — Tue, 26 Nov 2019 12:24:35 GMT

Hi @jip31,
In my example it runs:
main search

index=wineventlog | head 3000 | stats count BY EventCode

second search

| loadjob 1574770940.9780 | search EventCode=4624

Anyway, did you explored the opportunity to use summary indexes?
you can archive the output of searches using collect or tscollect.

Ciao.
Giuseppe

Re: help to filter data after a loadjob command

jip31 — Tue, 26 Nov 2019 12:35:05 GMT

Yes I think its something like this and if you see my example its almost what I am doing
But, the problem is that I cant done :
| stats dc(host) as host by sourcetype host

It means that its impossible to stats host and to do a filter.... by host

Re: help to filter data after a loadjob command

gcusello — Tue, 26 Nov 2019 13:44:25 GMT

Hi @jip31,
I don't know if this is the problem, but you cannot use the same field name in as and in by.

| stats dc(host) as host by sourcetype host

Anyway i tried a search
main search

index=wineventlog | head 3000 | stats dc(EventCode) As ec count BY Dominio_account EventCode

second search

| loadjob 1574775632.10229 | stats count BY Dominio_account

Ciao.

Re: help to filter data after a loadjob command

jip31 — Tue, 26 Nov 2019 14:05:41 GMT

thanks but its no exactly correspond to my expectations

Re: help to filter data after a loadjob command

gcusello — Tue, 26 Nov 2019 14:14:53 GMT

Hi @jip31,
what's the problem: to use host two times in stats or other?
Thi isn't possible also in a normal stats command.

You could run:

 `winevent` (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND source="WinEventLog:Microsoft-Windows-Sysmon/Operational")
 | fields host sourcetype source 
 | stats dc(host) as dc_host by sourcetype host
 | sort -host

Ciao.
Giuseppe

Re: help to filter data after a loadjob command

woodcock — Tue, 26 Nov 2019 23:45:49 GMT

Everything should work as-is with the possible exception of sort - host which is trimming your results set to 1000. Try switching to sort 0 - host and all should be good.

Re: help to filter data after a loadjob command

jip31 — Thu, 28 Nov 2019 06:00:12 GMT

ok thanks