Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Using stats to select the earliest record to pipe into the map function

Kanesol
Explorer
‎01-24-2016 10:59 PM

I am trying to select the earliest record and then pipe that into the map function to perform an addition search using that information.

So far I am trying the following:

index="proxy_logs" "Malicious Outbound Data/Botnets" OR "Malicious Sources/Malnets" earliest=-1d | stats earliest(_time) as first_event by cs_host | eval nice_time = strftime(first_event,"%F %T")| eval check_from = relative_time(first_event, "-d") | eval check_from = strftime(check_from,"%F %T") 

| map maxsearches=42 search="search earliest=$check_from$ latest=$nice_time$ index=proxy_logs filter_result!=DENIED cs_host=$cs_host$"  | eval acesstimes = strftime(_time,"%F %T") | transaction cs_host | dedup cs_uri_path | table cs_host, cs_uri_path, cs_uri_query, acesstimes, cs_username | join cs_host 

[search index="proxy_logs"  "Malicious Outbound Data/Botnets" OR "Malicious Sources/Malnets" cs_host!="" earliest=-1d |eval blocktime = strftime(_time,"%F %T") |  stats earliest(_time) as blocktime by cs_host | fields cs_host, blocktime ]

This returns no results however if I break the search up it does return results for the dataset that I am testing.

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎01-25-2016 08:43 AM

Do you see the results for the query before the join??

0 Karma
Reply

rakeshh123
Path Finder
‎01-25-2016 03:41 AM

-----try using eventstats instead of stats in the queries.....bcz ex: index=x|stats count by y| table z ,y wont return any results ...but evenstats will work...bcz stats wont forward events .. replace your second query with first bcz mapping more events ---> less events will result in redundancy ... query is very big try to reduce it ...use tags for specific events --give your own naming conventions

Index=X earliest=-1d maxsearches=42 filter_result!=DENIED | eventstats earliest(_time) as blocktime by cs_host | eval nice_time = strftime(first_event,"%F %T")| eval check_from = relative_time(first_event, "-d") | eval check_from = strftime(check_from,"%F %T") |eval acesstimes = strftime(_time,"%F %T") | transaction cs_host | dedup cs_uri_path | table cs_host, cs_uri_path, cs_uri_query, acesstimes, cs_username | join 3rd Query ......

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎01-25-2016 01:22 AM

What's the overall goal here?

0 Karma
Reply

Sebastian2
Path Finder
‎01-25-2016 12:23 AM

Are you sure that your join over the subsearch is correct?

  1. According to the join reference the inner join is the default behaviour. If their are no matches, there won't be any results (try a left join for debugging)
  2. Make sure that your subsearch doesn't have more than 10000 results, otherwise the results will be cut (and therefore may not match anymore, see 1.)
  3. Try to avoid using subsearches since they bring at least n²-complexity into your search an make it slow and error-prone
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...