topic Re: Why is my current stats search not producing any results? in Splunk Search

Why is my current stats search not producing any results?

syed_star357 — Wed, 03 Aug 2016 07:41:41 GMT

Hi,

Can anyone tell me why this comment is not working? I have all the mentioned fields in my data, but when I add stats max(_time) as last_time by host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action |dedup last_time,host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action
I'm not getting any result. Here is my full search:

src=122.15.158.173 sourcetype=cisco:asa "Deny*" |stats max(_time) as last_time by host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action |dedup last_time,host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action

Re: Why is my current stats search not producing any results?

javiergn — Wed, 03 Aug 2016 12:15:59 GMT

Two things:

You don't need the dedup afterwards because you are already summarising with stats
If any of the fields in the stats group by clause does not exist or is empty you are going to have problems.

Try this first to see if the are any events matching your requirements with data in all the required fields:

src=122.15.158.173 sourcetype=cisco:asa "Deny*" 
    host=* 
    sourcetype=*
    action=* 
    dest=* 
    dest_ip=* 
    dest_port=* 
    dev=* 
    index=* 
    msg=* 
    src=* 
    src_ip=* 
    src_port=* 
    vendor_action=*

If that works then append the stats afterwards:

| stats max(_time) as last_time by host, sourcetype, action, dest, dest_ip, dest_port, dev, index, msg, src, src_ip, src_port, vendor_action

Re: Why is my current stats search not producing any results?

inventsekar — Tue, 29 Sep 2020 10:27:55 GMT

as i checked, "sourcetype=cisco:asa" events are not having a field "dev"

tried it without "dev" and its working fine..
src=122.15.158.173 sourcetype=cisco:asa "Deny*"|stats max(_time) as last_time by host,sourcetype,action,dest,dest_ip,dest_port,index,msg,src,src_ip,src_port,vendor_action |dedup last_time,host,sourcetype,action,dest,dest_ip,dest_port,index,msg,src,src_ip,src_port,vendor_action

Re: Why is my current stats search not producing any results?

syed_star357 — Wed, 03 Aug 2016 16:56:12 GMT

No, it has Dev field.

Re: Why is my current stats search not producing any results?

inventsekar — Thu, 04 Aug 2016 07:56:23 GMT

oh ok. i thought cisco:asa logs may have same format. seems your environment is different. ok, thanks.