Error message: domain needs 'min' and 'max' fields

frizzoS3 · ‎09-29-2017

Hi

I have run the following search ( Endpoint - Malware Daily Count - Context Gen) verified from a couple of different sources, and get the above mentioned error message....any advice?

| tstats `summariesonly` dc(Malware_Attacks.signature) as infection_count from datamodel=Malware.Malware_Attacks 
where earliest=-31d@d latest=-1d@d Malware_Attacks.action=allowed by Malware_Attacks.dest,_time 
span=1d | stats sum(infection_count) as total_infection_count by _time 
| stats count,median(total_infection_count) as median by _time 
| eval min=0 | eval max=median*2 | xsCreateDDContext name=count_1d container=malware type=domain 
terms="minimal,small,medium,large,extreme" scope=app app=SA-NetworkProtection | stats count

starcher · ‎09-29-2017

I imagine you are not getting any results from the base search. so there are no "events" going into the chained stats, so the evals have nothing to add to. Thus you have empty results going tiny the CreateDD command.

DalJeanis · ‎09-29-2017

@frizzoS3 - This answer by @starcher seems correct. To test that, run this and see if there are any results...

| tstats `summariesonly` dc(Malware_Attacks.signature) as infection_count 
    from datamodel=Malware.Malware_Attacks 
    where earliest=-31d@d latest=-1d@d Malware_Attacks.action=allowed 
    by Malware_Attacks.dest,_time  span=1d 
| head 5

Error message: domain needs 'min' and 'max' fields

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?