Security

Error message: domain needs 'min' and 'max' fields

frizzoS3
New Member

Hi

I have run the following search ( Endpoint - Malware Daily Count - Context Gen) verified from a couple of different sources, and get the above mentioned error message....any advice?

| tstats `summariesonly` dc(Malware_Attacks.signature) as infection_count from datamodel=Malware.Malware_Attacks 
where earliest=-31d@d latest=-1d@d Malware_Attacks.action=allowed by Malware_Attacks.dest,_time 
span=1d | stats sum(infection_count) as total_infection_count by _time 
| stats count,median(total_infection_count) as median by _time 
| eval min=0 | eval max=median*2 | xsCreateDDContext name=count_1d container=malware type=domain 
terms="minimal,small,medium,large,extreme" scope=app app=SA-NetworkProtection | stats count
Tags (1)
0 Karma

starcher
Influencer

I imagine you are not getting any results from the base search. so there are no "events" going into the chained stats, so the evals have nothing to add to. Thus you have empty results going tiny the CreateDD command.

0 Karma

DalJeanis
Legend

@frizzoS3 - This answer by @starcher seems correct. To test that, run this and see if there are any results...

| tstats `summariesonly` dc(Malware_Attacks.signature) as infection_count 
    from datamodel=Malware.Malware_Attacks 
    where earliest=-31d@d latest=-1d@d Malware_Attacks.action=allowed 
    by Malware_Attacks.dest,_time  span=1d 
| head 5
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...