Splunk Enterprise

Error in 'tstats' command: This command must be the first command of a search?

Frofro87
New Member

Hello,

I was using a search and getting an error message stated in the subject. I have tried moving the tstats around and editing some of the commands but either run into the same error or tsidx error. Here is the search as follows.

 

index=netsec_index sourcetype=pan* OR sourctype=fgt* user=saic-corp\\heathl misc=* OR url=* earliest=-4d| eval Domain=coalesce(misc, url)
| eval domain=misc + "," + url
| makemv delim="," domain
| fields _time action category rule session_end_reason http_category vendor_action url misc domain Domain
| table _time action category rule session_end_reason http_category vendor_action url misc domain Domain
| stats count by domain `comment("Search for High Volume of Packets in/out (Show Megabytes/Gigabytes) back by earliest=-1d. Exclude app=ipsec.")`
| tstats summariesonly=true count from datamodel=Network_Traffic where All_Traffic.action=allowed AND NOT All_Traffic.app=ipsec-esp-udp earliest=-1d by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.app All_Traffic.packets_in All_Traffic.packets_out All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.action All_Traffic.rule All_Traffic.user
| rename All_Traffic.* as *
| sort - bytes_out
| eval Megabytes_out=round(bytes_out/1024/1024,2) `comment("Math for bytes > Megabytes")`
| eval Megabytes_in=round(bytes_in/1024/1024,2) `comment("Math for bytes > Megabytes")`
| eval Gigabytes_out=round(bytes_out/1024/1024/1024,2) `comment("Math for bytes > Gigabytes")`
| eval Gigabytes_in=round(bytes_in/1024/1024/1024,2) `comment("Math for bytes > Gigabytes")`
| eval packets_in=tostring(packets_in, "commas")
| eval packets_out=tostring(packets_out, "commas")
| eval bytes=tostring(bytes, "commas")
| eval bytes_in=tostring(bytes_in, "commas")
| eval bytes_out=tostring(bytes_out, "commas")
| fields - count
| head 100



If any guidance can be provided I would be appreciate it. Thank you.

Labels (1)
0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi @Frofro87 

tstats commad need to at the start of the qurey

as you are using tstats in the middle of the qurey its thoriwng the error , 

either you can move tstats to start or add tstats in subsearch belwo is the hightlited 

index=netsec_index sourcetype=pan* OR sourctype=fgt* user=saic-corp\\heathl misc=* OR url=* earliest=-4d| eval Domain=coalesce(misc, url)
| eval domain=misc + "," + url
| makemv delim="," domain
| fields _time action category rule session_end_reason http_category vendor_action url misc domain Domain
| table _time action category rule session_end_reason http_category vendor_action url misc domain Domain
| stats count by domain `comment("Search for High Volume of Packets in/out (Show Megabytes/Gigabytes) back by earliest=-1d. Exclude app=ipsec.")`


[| tstats summariesonly=true count from datamodel=Network_Traffic where All_Traffic.action=allowed AND NOT All_Traffic.app=ipsec-esp-udp earliest=-1d by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.app All_Traffic.packets_in All_Traffic.packets_out All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.action All_Traffic.rule All_Traffic.user]


| rename All_Traffic.* as *
| sort - bytes_out
| eval Megabytes_out=round(bytes_out/1024/1024,2) `comment("Math for bytes > Megabytes")`
| eval Megabytes_in=round(bytes_in/1024/1024,2) `comment("Math for bytes > Megabytes")`
| eval Gigabytes_out=round(bytes_out/1024/1024/1024,2) `comment("Math for bytes > Gigabytes")`
| eval Gigabytes_in=round(bytes_in/1024/1024/1024,2) `comment("Math for bytes > Gigabytes")`
| eval packets_in=tostring(packets_in, "commas")
| eval packets_out=tostring(packets_out, "commas")
| eval bytes=tostring(bytes, "commas")
| eval bytes_in=tostring(bytes_in, "commas")
| eval bytes_out=tostring(bytes_out, "commas")
| fields - count
| head 100

0 Karma

Frofro87
New Member

Hi Sanjay,

 

Thank you for the reply. I have tried moving the tstats command to the beginning of the search. I apologize for not mentioning it in the original posting. I still end up with the same error message.

 

index=netsec_index sourcetype=pan* OR sourctype=fgt* user=saic-corp\\heathl misc=* OR url=* earliest=-4d| eval Domain=coalesce(misc, url)
| tstats summariesonly=true count from datamodel=Network_Traffic where All_Traffic.action=allowed AND NOT All_Traffic.app=ipsec-esp-udp earliest=-1d by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.app All_Traffic.packets_in All_Traffic.packets_out All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.action All_Traffic.rule All_Traffic.user
| eval domain=misc + "," + url
| makemv delim="," domain
| fields _time action category rule session_end_reason http_category vendor_action url misc domain Domain
| table _time action category rule session_end_reason http_category vendor_action url misc domain Domain
| stats count by domain `comment("Search for High Volume of Packets in/out (Show Megabytes/Gigabytes) back by earliest=-1d. Exclude app=ipsec.")`
| rename All_Traffic.* as *
| sort - bytes_out
| eval Megabytes_out=round(bytes_out/1024/1024,2) `comment("Math for bytes > Megabytes")`
| eval Megabytes_in=round(bytes_in/1024/1024,2) `comment("Math for bytes > Megabytes")`
| eval Gigabytes_out=round(bytes_out/1024/1024/1024,2) `comment("Math for bytes > Gigabytes")`
| eval Gigabytes_in=round(bytes_in/1024/1024/1024,2) `comment("Math for bytes > Gigabytes")`
| eval packets_in=tostring(packets_in, "commas")
| eval packets_out=tostring(packets_out, "commas")
| eval bytes=tostring(bytes, "commas")
| eval bytes_in=tostring(bytes_in, "commas")
| eval bytes_out=tostring(bytes_out, "commas")
| fields - count
| head 100

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...