Splunk Search

How to use tstats count as output to eval subsearch?

bradw2021
Engager

Have a search that returns emails of interest (possibly malicious). Trying to add a subsearch that will return a count of how many times each sender address has been seen in the last 30 days (regardless of the timeframe used in the main search).

When using the search below, Splunk returns a "Error in eval command: Fields cannot be assigned a boolean result" error based on the eval command. The tstats command works fine independently.

index=proofpoint
| rex field=msg.header.reply-to{} ".*\<(?<Sender_Address>[a-zA-Z0-9\.\-\+]+@[a-zA-Z0-9\.\-]+)\>"
| eval Sender_Count=[ | tstats count where index=proofpoint TERM($Sender_Address$) earliest=-30d@m latest=now]
| table _time msg_header_from msg.header.reply-to{} Sender_Address Sender_Count

 

Don't worry about the sub-optimal email matching regex - just POC.

Tried appendcols, too, with no luck. Is this possible? Thank you

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You could try something like this

| map search="| tstats count as Sender_Count where index=proofpoint TERM($Sender_Address$) earliest=-30d@m latest=now"

Note that by default, map is limited to 10 searches, so you might need to add the maxsearches parameter.

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could try something like this

| map search="| tstats count as Sender_Count where index=proofpoint TERM($Sender_Address$) earliest=-30d@m latest=now"

Note that by default, map is limited to 10 searches, so you might need to add the maxsearches parameter.

0 Karma

bradw2021
Engager

Thank you @ITWhisperer - This could potentially be a part of the solution, but seems to be focused on passing a variable from the main search to a secondary search, whereas I am trying to take secondary search results (Sender_Count below) and add them to the table generated by the main search, e.g.

Before:

_timeSender_AddressSubjectRecipient
7/26/2022 12:16:00jdoe@acme.tldPlease sign this documentuser1@mycorp.tld
7/26/2022 12:16:05jane.doe@hacker.tldYou can trust meuser2@mycorp.tld
7/26/2022 12:16:10benign@mycorp.tldYou're fireduser3@mycorp.tld

 

After:

_timeSender_AddressSubjectRecipientSender_Count
7/26/2022 12:16:00jdoe@acme.tldPlease sign this documentuser1@mycorp.tld1
7/26/2022 12:16:05jane.doe@hacker.tldYou can trust meuser2@mycorp.tld0
7/26/2022 12:16:10benign@mycorp.tldYou're fireduser3@mycorp.tld48
0 Karma

bradw2021
Engager

Was able to add the map command output to the main search output by appending a bunch of eval commands to the map search. Thank you @ITWhisperer 

0 Karma

schose
Builder

Hi,

doing an eval from a second search is working like this - same like yours but "| return $fieldname" added

| makeresults
| eval indexcount=[| tstats count as indexcount where index=_internal earliest=-24h@h | return $indexcount]

 

but, i guess this would not work in your token you are passing down from main search..

regards,

Andreas

0 Karma

bradw2021
Engager

Thank you @schose - Will play some more with the return function, as the map command is slooooooooooow and defeats the benefit of using the tstats/TERM search for a rapid count

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...