Solved: Re: Need help with having earliest command and two...

Anthonylucian · ‎03-31-2021

I currently have two searches that work separately but when I combine them into one search I cant seem to get it to run.

The first part is to find the earliest/Minimum value in a field called First_Seen for each Datacenter. First seen I have to convert into a readable format but I have this search working on its own.

| stats min(firstSeen) AS min by Datacenter
| eval min = strftime(min, "%F %T.%3N")

The second part is getting stats on a field called state, Adding up a state of "Open" and "Reopened" per each Datacenter and then counting the number of state="Fixed" by each datacenter

| stats count(eval(state="open" OR state="reopened")) as Open count(eval(state="fixed")) as fixed by Datacenter

when I have all of these together within one query I get nothing to load, but separately they both work.

scelikok · ‎03-31-2021

Hi @Anthonylucian,

Please try below;

| eventstats min(firstSeen) AS min by Datacenter
| stats latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| stats count(eval(state="open" OR state="reopened")) as Open count(eval(state="fixed")) as fixed min(min) as min by Datacenter
| eval min = strftime(min, "%F %T.%3N")

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎03-31-2021

You're welcome, please mark solution as accepted for other community members to benefit as well.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok · ‎03-31-2021

Hi @Anthonylucian,

Please try below;

| eventstats min(firstSeen) AS min by Datacenter
| stats latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| stats count(eval(state="open" OR state="reopened")) as Open count(eval(state="fixed")) as fixed min(min) as min by Datacenter
| eval min = strftime(min, "%F %T.%3N")

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Anthonylucian · ‎03-31-2021

It worked!

Thank you very much for the help!

richgalloway · ‎03-31-2021

The problem with combining these two searches one after the other is the first stats command strips out all fields except 'min' and "Datacenter' so there is no 'state' for the second stats command to use.

Try replacing the first stats command with eventstats.

---
If this reply helps you, Karma would be appreciated.

Anthonylucian · ‎03-31-2021

Events stats didnt work for me, if you look below in the thread you can see the full search being used. Would I need multiple event stats?

ITWhisperer · ‎03-31-2021

How have you combined them?

Anthonylucian · ‎03-31-2021

Just listing them sequentially, I have a few commands between to help me get rid of duplicates and retrieve the latest stats. would a subsearch be needed?

| stats min(firstSeen) AS min by Datacenter
| eval min = strftime(min, "%F %T.%3N")
| stats latest(*) AS * by ip, pluginID
| dedup macAddress, Datacenter
| stats count(eval(state="open" OR state="reopened")) as Open count(eval(state="fixed")) as fixed by Datacenter

ITWhisperer · ‎03-31-2021

Each stats is only passing the fields it output down the pipeline, so the second won't have ip or pluginID to group by

Need help with having earliest command and two other stats commands in same query

count

stats

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life