Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Specified field missing from results:time

remy06
Contributor
‎03-11-2011 03:42 AM

I'm trying to group similar events in a search for linux audit events.I've managed to group them by the event time but the results listed the events according to the pid instead.

When I tried to sort them by time,it gaves me the error:
Specified field(s) missing from results: 'time'

Here is my search command:
source="auditd" auid=root OR uid=root OR auid=0 | transaction time | fillnull value="-" | stats values(Session_ID) ,values(type) ,values(path) ,values(time) by pid auid exe | sort time

"time" is a field extracted from the raw event.The current results gave me the pid & Session_ID in ascending order but I want to sort them by the time instead.

Tags (2)
0 Karma
Reply

remy06
Contributor
‎03-14-2011 02:48 AM

I've tried using this from your solution:

source="auditd" | transaction time | fillnull value="-" | stats values(Session_ID),values(type),values(path) by time pid auid exe | sort time

it displays my results nicely.However,it is in ascending order and when I tried to sort it in descending using "| sort -time", the results still reflect in ascending order.

0 Karma
Reply

remy06
Contributor
‎03-14-2011 03:22 AM

I like to display in descending so that the last event is shown first on the results table in splunk.When I use the "table" command in place of stats everything is nicely shown,but doesn't allow us to drill down by clicking on the event,thats why am considering to use stats..

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-11-2011 07:41 AM

The stats command removes all fields other than those explicitly named there. After stats processes data, there is no longer a field named time, though there is a multi-valued field called values(time). I don't know how you want to resolve what to do if there are multiple time values for each pid auid exe combination, but your choices are:

... | stats 
        values(Session_ID)
        values(type)
        values(path)
        last(time) as time 
      by pid auid exe
    | sort time

which will just include the last (i.e., earliest) time. You could use first(time) to use the first (i.e. most recent) time for any given pid auid exe combination. Or you could say:

... | stats 
        values(Session_ID)
        values(type)
        values(path)
      by time pid auid exe
    | sort time

which will create a separate entry for each value of time (in combination with each pid auid exe).

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...