Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Specified field missing from results:time

remy06
Contributor
‎03-11-2011 03:42 AM

I'm trying to group similar events in a search for linux audit events.I've managed to group them by the event time but the results listed the events according to the pid instead.

When I tried to sort them by time,it gaves me the error:
Specified field(s) missing from results: 'time'

Here is my search command:
source="auditd" auid=root OR uid=root OR auid=0 | transaction time | fillnull value="-" | stats values(Session_ID) ,values(type) ,values(path) ,values(time) by pid auid exe | sort time

"time" is a field extracted from the raw event.The current results gave me the pid & Session_ID in ascending order but I want to sort them by the time instead.

Tags (2)
0 Karma
Reply

remy06
Contributor
‎03-14-2011 02:48 AM

I've tried using this from your solution:

source="auditd" | transaction time | fillnull value="-" | stats values(Session_ID),values(type),values(path) by time pid auid exe | sort time

it displays my results nicely.However,it is in ascending order and when I tried to sort it in descending using "| sort -time", the results still reflect in ascending order.

0 Karma
Reply

remy06
Contributor
‎03-14-2011 03:22 AM

I like to display in descending so that the last event is shown first on the results table in splunk.When I use the "table" command in place of stats everything is nicely shown,but doesn't allow us to drill down by clicking on the event,thats why am considering to use stats..

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-11-2011 07:41 AM

The stats command removes all fields other than those explicitly named there. After stats processes data, there is no longer a field named time, though there is a multi-valued field called values(time). I don't know how you want to resolve what to do if there are multiple time values for each pid auid exe combination, but your choices are:

... | stats 
        values(Session_ID)
        values(type)
        values(path)
        last(time) as time 
      by pid auid exe
    | sort time

which will just include the last (i.e., earliest) time. You could use first(time) to use the first (i.e. most recent) time for any given pid auid exe combination. Or you could say:

... | stats 
        values(Session_ID)
        values(type)
        values(path)
      by time pid auid exe
    | sort time

which will create a separate entry for each value of time (in combination with each pid auid exe).

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...