Splunk Search

Specified field missing from results:time

Contributor

I'm trying to group similar events in a search for linux audit events.I've managed to group them by the event time but the results listed the events according to the pid instead.

When I tried to sort them by time,it gaves me the error:
Specified field(s) missing from results: 'time'

Here is my search command:
source="auditd" auid=root OR uid=root OR auid=0 | transaction time | fillnull value="-" | stats values(Session_ID) ,values(type) ,values(path) ,values(time) by pid auid exe | sort time

"time" is a field extracted from the raw event.The current results gave me the pid & Session_ID in ascending order but I want to sort them by the time instead.

Tags (2)
0 Karma

Contributor

I've tried using this from your solution:

source="auditd" | transaction time | fillnull value="-" | stats values(Session_ID),values(type),values(path) by time pid auid exe | sort time

it displays my results nicely.However,it is in ascending order and when I tried to sort it in descending using "| sort -time", the results still reflect in ascending order.

0 Karma

Contributor

I like to display in descending so that the last event is shown first on the results table in splunk.When I use the "table" command in place of stats everything is nicely shown,but doesn't allow us to drill down by clicking on the event,thats why am considering to use stats..

0 Karma

Splunk Employee
Splunk Employee

The stats command removes all fields other than those explicitly named there. After stats processes data, there is no longer a field named time, though there is a multi-valued field called values(time). I don't know how you want to resolve what to do if there are multiple time values for each pid auid exe combination, but your choices are:

... | stats 
        values(Session_ID)
        values(type)
        values(path)
        last(time) as time 
      by pid auid exe
    | sort time

which will just include the last (i.e., earliest) time. You could use first(time) to use the first (i.e. most recent) time for any given pid auid exe combination. Or you could say:

... | stats 
        values(Session_ID)
        values(type)
        values(path)
      by time pid auid exe
    | sort time

which will create a separate entry for each value of time (in combination with each pid auid exe).