Splunk Search

Using stats to select the earliest record to pipe into the map function

Kanesol
Explorer

I am trying to select the earliest record and then pipe that into the map function to perform an addition search using that information.

So far I am trying the following:

index="proxy_logs" "Malicious Outbound Data/Botnets" OR "Malicious Sources/Malnets" earliest=-1d | stats earliest(_time) as first_event by cs_host | eval nice_time = strftime(first_event,"%F %T")| eval check_from = relative_time(first_event, "-d") | eval check_from = strftime(check_from,"%F %T") 

| map maxsearches=42 search="search earliest=$check_from$ latest=$nice_time$ index=proxy_logs filter_result!=DENIED cs_host=$cs_host$"  | eval acesstimes = strftime(_time,"%F %T") | transaction cs_host | dedup cs_uri_path | table cs_host, cs_uri_path, cs_uri_query, acesstimes, cs_username | join cs_host 

[search index="proxy_logs"  "Malicious Outbound Data/Botnets" OR "Malicious Sources/Malnets" cs_host!="" earliest=-1d |eval blocktime = strftime(_time,"%F %T") |  stats earliest(_time) as blocktime by cs_host | fields cs_host, blocktime ]

This returns no results however if I break the search up it does return results for the dataset that I am testing.

Tags (2)
0 Karma

somesoni2
Revered Legend

Do you see the results for the query before the join??

0 Karma

rakeshh123
Path Finder

-----try using eventstats instead of stats in the queries.....bcz ex: index=x|stats count by y| table z ,y wont return any results ...but evenstats will work...bcz stats wont forward events .. replace your second query with first bcz mapping more events ---> less events will result in redundancy ... query is very big try to reduce it ...use tags for specific events --give your own naming conventions

Index=X earliest=-1d maxsearches=42 filter_result!=DENIED | eventstats earliest(_time) as blocktime by cs_host | eval nice_time = strftime(first_event,"%F %T")| eval check_from = relative_time(first_event, "-d") | eval check_from = strftime(check_from,"%F %T") |eval acesstimes = strftime(_time,"%F %T") | transaction cs_host | dedup cs_uri_path | table cs_host, cs_uri_path, cs_uri_query, acesstimes, cs_username | join 3rd Query ......

0 Karma

dart
Splunk Employee
Splunk Employee

What's the overall goal here?

0 Karma

Sebastian2
Path Finder

Are you sure that your join over the subsearch is correct?

  1. According to the join reference the inner join is the default behaviour. If their are no matches, there won't be any results (try a left join for debugging)
  2. Make sure that your subsearch doesn't have more than 10000 results, otherwise the results will be cut (and therefore may not match anymore, see 1.)
  3. Try to avoid using subsearches since they bring at least n²-complexity into your search an make it slow and error-prone
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...