Re: Error message: domain needs 'min' and 'max' fi...

frizzoS3 · ‎09-29-2017

Hi

I have run the following search ( Endpoint - Malware Daily Count - Context Gen) verified from a couple of different sources, and get the above mentioned error message....any advice?

| tstats `summariesonly` dc(Malware_Attacks.signature) as infection_count from datamodel=Malware.Malware_Attacks 
where earliest=-31d@d latest=-1d@d Malware_Attacks.action=allowed by Malware_Attacks.dest,_time 
span=1d | stats sum(infection_count) as total_infection_count by _time 
| stats count,median(total_infection_count) as median by _time 
| eval min=0 | eval max=median*2 | xsCreateDDContext name=count_1d container=malware type=domain 
terms="minimal,small,medium,large,extreme" scope=app app=SA-NetworkProtection | stats count

starcher · ‎09-29-2017

I imagine you are not getting any results from the base search. so there are no "events" going into the chained stats, so the evals have nothing to add to. Thus you have empty results going tiny the CreateDD command.

DalJeanis · ‎09-29-2017

@frizzoS3 - This answer by @starcher seems correct. To test that, run this and see if there are any results...

| tstats `summariesonly` dc(Malware_Attacks.signature) as infection_count 
    from datamodel=Malware.Malware_Attacks 
    where earliest=-31d@d latest=-1d@d Malware_Attacks.action=allowed 
    by Malware_Attacks.dest,_time  span=1d 
| head 5

Error message: domain needs 'min' and 'max' fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Splunk Community Badges!

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Join the Conversation