Security

Error message: domain needs 'min' and 'max' fields

frizzoS3
New Member

Hi

I have run the following search ( Endpoint - Malware Daily Count - Context Gen) verified from a couple of different sources, and get the above mentioned error message....any advice?

| tstats `summariesonly` dc(Malware_Attacks.signature) as infection_count from datamodel=Malware.Malware_Attacks 
where earliest=-31d@d latest=-1d@d Malware_Attacks.action=allowed by Malware_Attacks.dest,_time 
span=1d | stats sum(infection_count) as total_infection_count by _time 
| stats count,median(total_infection_count) as median by _time 
| eval min=0 | eval max=median*2 | xsCreateDDContext name=count_1d container=malware type=domain 
terms="minimal,small,medium,large,extreme" scope=app app=SA-NetworkProtection | stats count
Tags (1)
0 Karma

starcher
Influencer

I imagine you are not getting any results from the base search. so there are no "events" going into the chained stats, so the evals have nothing to add to. Thus you have empty results going tiny the CreateDD command.

0 Karma

DalJeanis
Legend

@frizzoS3 - This answer by @starcher seems correct. To test that, run this and see if there are any results...

| tstats `summariesonly` dc(Malware_Attacks.signature) as infection_count 
    from datamodel=Malware.Malware_Attacks 
    where earliest=-31d@d latest=-1d@d Malware_Attacks.action=allowed 
    by Malware_Attacks.dest,_time  span=1d 
| head 5
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...