Error in 'tstats' command: This command must be th...

Frofro87 · ‎12-27-2022

Hello,

I was using a search and getting an error message stated in the subject. I have tried moving the tstats around and editing some of the commands but either run into the same error or tsidx error. Here is the search as follows.

index=netsec_index sourcetype=pan* OR sourctype=fgt* user=saic-corp\\heathl misc=* OR url=* earliest=-4d| eval Domain=coalesce(misc, url)
| eval domain=misc + "," + url
| makemv delim="," domain
| fields _time action category rule session_end_reason http_category vendor_action url misc domain Domain
| table _time action category rule session_end_reason http_category vendor_action url misc domain Domain
| stats count by domain `comment("Search for High Volume of Packets in/out (Show Megabytes/Gigabytes) back by earliest=-1d. Exclude app=ipsec.")`
| tstats summariesonly=true count from datamodel=Network_Traffic where All_Traffic.action=allowed AND NOT All_Traffic.app=ipsec-esp-udp earliest=-1d by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.app All_Traffic.packets_in All_Traffic.packets_out All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.action All_Traffic.rule All_Traffic.user
| rename All_Traffic.* as *
| sort - bytes_out
| eval Megabytes_out=round(bytes_out/1024/1024,2) `comment("Math for bytes > Megabytes")`
| eval Megabytes_in=round(bytes_in/1024/1024,2) `comment("Math for bytes > Megabytes")`
| eval Gigabytes_out=round(bytes_out/1024/1024/1024,2) `comment("Math for bytes > Gigabytes")`
| eval Gigabytes_in=round(bytes_in/1024/1024/1024,2) `comment("Math for bytes > Gigabytes")`
| eval packets_in=tostring(packets_in, "commas")
| eval packets_out=tostring(packets_out, "commas")
| eval bytes=tostring(bytes, "commas")
| eval bytes_in=tostring(bytes_in, "commas")
| eval bytes_out=tostring(bytes_out, "commas")
| fields - count
| head 100

If any guidance can be provided I would be appreciate it. Thank you.

SanjayReddy · ‎12-27-2022

Hi @Frofro87

tstats commad need to at the start of the qurey

as you are using tstats in the middle of the qurey its thoriwng the error ,

either you can move tstats to start or add tstats in subsearch belwo is the hightlited

index=netsec_index sourcetype=pan* OR sourctype=fgt* user=saic-corp\\heathl misc=* OR url=* earliest=-4d| eval Domain=coalesce(misc, url)
| eval domain=misc + "," + url
| makemv delim="," domain
| fields _time action category rule session_end_reason http_category vendor_action url misc domain Domain
| table _time action category rule session_end_reason http_category vendor_action url misc domain Domain
| stats count by domain `comment("Search for High Volume of Packets in/out (Show Megabytes/Gigabytes) back by earliest=-1d. Exclude app=ipsec.")`

[| tstats summariesonly=true count from datamodel=Network_Traffic where All_Traffic.action=allowed AND NOT All_Traffic.app=ipsec-esp-udp earliest=-1d by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.app All_Traffic.packets_in All_Traffic.packets_out All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.action All_Traffic.rule All_Traffic.user]

| rename All_Traffic.* as *
| sort - bytes_out
| eval Megabytes_out=round(bytes_out/1024/1024,2) `comment("Math for bytes > Megabytes")`
| eval Megabytes_in=round(bytes_in/1024/1024,2) `comment("Math for bytes > Megabytes")`
| eval Gigabytes_out=round(bytes_out/1024/1024/1024,2) `comment("Math for bytes > Gigabytes")`
| eval Gigabytes_in=round(bytes_in/1024/1024/1024,2) `comment("Math for bytes > Gigabytes")`
| eval packets_in=tostring(packets_in, "commas")
| eval packets_out=tostring(packets_out, "commas")
| eval bytes=tostring(bytes, "commas")
| eval bytes_in=tostring(bytes_in, "commas")
| eval bytes_out=tostring(bytes_out, "commas")
| fields - count
| head 100

Frofro87 · ‎12-28-2022

Hi Sanjay,

Thank you for the reply. I have tried moving the tstats command to the beginning of the search. I apologize for not mentioning it in the original posting. I still end up with the same error message.

index=netsec_index sourcetype=pan* OR sourctype=fgt* user=saic-corp\\heathl misc=* OR url=* earliest=-4d| eval Domain=coalesce(misc, url)
| tstats summariesonly=true count from datamodel=Network_Traffic where All_Traffic.action=allowed AND NOT All_Traffic.app=ipsec-esp-udp earliest=-1d by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.app All_Traffic.packets_in All_Traffic.packets_out All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.action All_Traffic.rule All_Traffic.user
| eval domain=misc + "," + url
| makemv delim="," domain
| fields _time action category rule session_end_reason http_category vendor_action url misc domain Domain
| table _time action category rule session_end_reason http_category vendor_action url misc domain Domain
| stats count by domain `comment("Search for High Volume of Packets in/out (Show Megabytes/Gigabytes) back by earliest=-1d. Exclude app=ipsec.")`
| rename All_Traffic.* as *
| sort - bytes_out
| eval Megabytes_out=round(bytes_out/1024/1024,2) `comment("Math for bytes > Megabytes")`
| eval Megabytes_in=round(bytes_in/1024/1024,2) `comment("Math for bytes > Megabytes")`
| eval Gigabytes_out=round(bytes_out/1024/1024/1024,2) `comment("Math for bytes > Gigabytes")`
| eval Gigabytes_in=round(bytes_in/1024/1024/1024,2) `comment("Math for bytes > Gigabytes")`
| eval packets_in=tostring(packets_in, "commas")
| eval packets_out=tostring(packets_out, "commas")
| eval bytes=tostring(bytes, "commas")
| eval bytes_in=tostring(bytes_in, "commas")
| eval bytes_out=tostring(bytes_out, "commas")
| fields - count
| head 100

Error in 'tstats' command: This command must be the first command of a search?

using Splunk Enterprise

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes