Splunk Search

How can I pipe the results of a stats command into another search as a field to perform a boolean operation?

andimnf
Explorer

I'm struggling to output the results of a stats command into a new field so that I can then perform a search based on the results of that field.

My stats command which will pull back a single value for the latest DAT version which works as expected.
index=av source="av:events"| stats max(dat_version) as LatestDAT

I then wish to perform another search on the same source for all events where the dat_version is less than LatestDAT-7

Is this possible?

0 Karma

FrankVl
Ultra Champion

Try this:

index=av source="av:events"
| eventstats max(dat_version) as LatestDAT
| where dat_version<LatestDAT-7

Not 100% sure if that where command supports doing the -7 subtraction as part of the comparison. If not, just add an eval command before, to calculate the LatestDAT-7 threshold and then compare against that.

0 Karma

lakshman239
Influencer

Can you try index=av source="av:events"| stats max(dat_version) as LatestDAT values(dat_version) AS dat_version | where dat_version < LatestDAT-7

0 Karma

andimnf
Explorer

Thanks! This didn't quite give me what I needed, but it did point me in the right direction to get something close.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...