How can I pipe the results of a stats command into...

andimnf · ‎04-24-2019

I'm struggling to output the results of a stats command into a new field so that I can then perform a search based on the results of that field.

My stats command which will pull back a single value for the latest DAT version which works as expected.
index=av source="av:events"| stats max(dat_version) as LatestDAT

I then wish to perform another search on the same source for all events where the dat_version is less than LatestDAT-7

Is this possible?

FrankVl · ‎04-25-2019

Try this:

index=av source="av:events"
| eventstats max(dat_version) as LatestDAT
| where dat_version<LatestDAT-7

Not 100% sure if that where command supports doing the -7 subtraction as part of the comparison. If not, just add an eval command before, to calculate the LatestDAT-7 threshold and then compare against that.

lakshman239 · ‎04-24-2019

Can you try index=av source="av:events"| stats max(dat_version) as LatestDAT values(dat_version) AS dat_version | where dat_version < LatestDAT-7

andimnf · ‎04-25-2019

Thanks! This didn't quite give me what I needed, but it did point me in the right direction to get something close.

How can I pipe the results of a stats command into another search as a field to perform a boolean operation?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How can I pipe the results of a stats command into another search as a field to perform a boolean operation?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?