topic Re: tstats count as output to eval subsearch in Splunk Search

How to use tstats count as output to eval subsearch?

bradw2021 — Tue, 26 Jul 2022 13:56:27 GMT

Have a search that returns emails of interest (possibly malicious). Trying to add a subsearch that will return a count of how many times each sender address has been seen in the last 30 days (regardless of the timeframe used in the main search).

When using the search below, Splunk returns a "Error in eval command: Fields cannot be assigned a boolean result" error based on the eval command. The tstats command works fine independently.

index=proofpoint | rex field=msg.header.reply-to{} ".*\<(?<Sender_Address>[a-zA-Z0-9\.\-\+]+@[a-zA-Z0-9\.\-]+)\>" | eval Sender_Count=[ | tstats count where index=proofpoint TERM($Sender_Address$) earliest=-30d@m latest=now] | table _time msg_header_from msg.header.reply-to{} Sender_Address Sender_Count

Don't worry about the sub-optimal email matching regex - just POC.

Tried appendcols, too, with no luck. Is this possible? Thank you

Re: tstats count as output to eval subsearch

ITWhisperer — Tue, 26 Jul 2022 07:58:09 GMT

You could try something like this

| map search="| tstats count as Sender_Count where index=proofpoint TERM($Sender_Address$) earliest=-30d@m latest=now"

Note that by default, map is limited to 10 searches, so you might need to add the maxsearches parameter.

Re: tstats count as output to eval subsearch

bradw2021 — Tue, 26 Jul 2022 16:20:51 GMT

Thank you @ITWhisperer - This could potentially be a part of the solution, but seems to be focused on passing a variable from the main search to a secondary search, whereas I am trying to take secondary search results (Sender_Count below) and add them to the table generated by the main search, e.g.

Before:

_time	Sender_Address	Subject	Recipient
7/26/2022 12:16:00	jdoe@acme.tld	Please sign this document	user1@mycorp.tld
7/26/2022 12:16:05	jane.doe@hacker.tld	You can trust me	user2@mycorp.tld
7/26/2022 12:16:10	benign@mycorp.tld	You're fired	user3@mycorp.tld

After:

_time	Sender_Address	Subject	Recipient	Sender_Count
7/26/2022 12:16:00	jdoe@acme.tld	Please sign this document	user1@mycorp.tld	1
7/26/2022 12:16:05	jane.doe@hacker.tld	You can trust me	user2@mycorp.tld	0
7/26/2022 12:16:10	benign@mycorp.tld	You're fired	user3@mycorp.tld	48

Re: tstats count as output to eval subsearch

schose — Tue, 26 Jul 2022 21:02:28 GMT

Hi,

doing an eval from a second search is working like this - same like yours but "| return $fieldname" added

| makeresults | eval indexcount=[| tstats count as indexcount where index=_internal earliest=-24h@h | return $indexcount]

but, i guess this would not work in your token you are passing down from main search..

regards,

Andreas

Re: tstats count as output to eval subsearch

bradw2021 — Wed, 27 Jul 2022 19:04:05 GMT

Was able to add the map command output to the main search output by appending a bunch of eval commands to the map search. Thank you @ITWhisperer

Re: tstats count as output to eval subsearch

bradw2021 — Wed, 27 Jul 2022 19:06:35 GMT

Thank you @schose - Will play some more with the return function, as the map command is slooooooooooow and defeats the benefit of using the tstats/TERM search for a rapid count