Solved: How to use tstats count as output to eval subsearc...

bradw2021 · ‎07-25-2022

Have a search that returns emails of interest (possibly malicious). Trying to add a subsearch that will return a count of how many times each sender address has been seen in the last 30 days (regardless of the timeframe used in the main search).

When using the search below, Splunk returns a "Error in eval command: Fields cannot be assigned a boolean result" error based on the eval command. The tstats command works fine independently.

index=proofpoint
| rex field=msg.header.reply-to{} ".*\<(?<Sender_Address>[a-zA-Z0-9\.\-\+]+@[a-zA-Z0-9\.\-]+)\>"
| eval Sender_Count=[ | tstats count where index=proofpoint TERM($Sender_Address$) earliest=-30d@m latest=now]
| table _time msg_header_from msg.header.reply-to{} Sender_Address Sender_Count

Don't worry about the sub-optimal email matching regex - just POC.

Tried appendcols, too, with no luck. Is this possible? Thank you

ITWhisperer · ‎07-26-2022

You could try something like this

| map search="| tstats count as Sender_Count where index=proofpoint TERM($Sender_Address$) earliest=-30d@m latest=now"

Note that by default, map is limited to 10 searches, so you might need to add the maxsearches parameter.

View solution in original post

ITWhisperer · ‎07-26-2022

You could try something like this

| map search="| tstats count as Sender_Count where index=proofpoint TERM($Sender_Address$) earliest=-30d@m latest=now"

Note that by default, map is limited to 10 searches, so you might need to add the maxsearches parameter.

bradw2021 · ‎07-26-2022

Thank you @ITWhisperer - This could potentially be a part of the solution, but seems to be focused on passing a variable from the main search to a secondary search, whereas I am trying to take secondary search results (Sender_Count below) and add them to the table generated by the main search, e.g.

Before:

_time	Sender_Address	Subject	Recipient
7/26/2022 12:16:00	jdoe@acme.tld	Please sign this document	user1@mycorp.tld
7/26/2022 12:16:05	jane.doe@hacker.tld	You can trust me	user2@mycorp.tld
7/26/2022 12:16:10	benign@mycorp.tld	You're fired	user3@mycorp.tld

After:

_time	Sender_Address	Subject	Recipient	Sender_Count
7/26/2022 12:16:00	jdoe@acme.tld	Please sign this document	user1@mycorp.tld	1
7/26/2022 12:16:05	jane.doe@hacker.tld	You can trust me	user2@mycorp.tld	0
7/26/2022 12:16:10	benign@mycorp.tld	You're fired	user3@mycorp.tld	48

bradw2021 · ‎07-27-2022

Was able to add the map command output to the main search output by appending a bunch of eval commands to the map search. Thank you @ITWhisperer

schose · ‎07-26-2022

Hi,

doing an eval from a second search is working like this - same like yours but "| return $fieldname" added

| makeresults
| eval indexcount=[| tstats count as indexcount where index=_internal earliest=-24h@h | return $indexcount]

but, i guess this would not work in your token you are passing down from main search..

regards,

Andreas

bradw2021 · ‎07-27-2022

Thank you @schose - Will play some more with the return function, as the map command is slooooooooooow and defeats the benefit of using the tstats/TERM search for a rapid count

How to use tstats count as output to eval subsearch?

regex

subsearch

tstats

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!