Splunk Search

Using stats to select the earliest record to pipe into the map function

Explorer

I am trying to select the earliest record and then pipe that into the map function to perform an addition search using that information.

So far I am trying the following:

index="proxy_logs" "Malicious Outbound Data/Botnets" OR "Malicious Sources/Malnets" earliest=-1d | stats earliest(_time) as first_event by cs_host | eval nice_time = strftime(first_event,"%F %T")| eval check_from = relative_time(first_event, "-d") | eval check_from = strftime(check_from,"%F %T") 

| map maxsearches=42 search="search earliest=$check_from$ latest=$nice_time$ index=proxy_logs filter_result!=DENIED cs_host=$cs_host$"  | eval acesstimes = strftime(_time,"%F %T") | transaction cs_host | dedup cs_uri_path | table cs_host, cs_uri_path, cs_uri_query, acesstimes, cs_username | join cs_host 

[search index="proxy_logs"  "Malicious Outbound Data/Botnets" OR "Malicious Sources/Malnets" cs_host!="" earliest=-1d |eval blocktime = strftime(_time,"%F %T") |  stats earliest(_time) as blocktime by cs_host | fields cs_host, blocktime ]

This returns no results however if I break the search up it does return results for the dataset that I am testing.

Tags (2)
0 Karma

Revered Legend

Do you see the results for the query before the join??

0 Karma

Path Finder

-----try using eventstats instead of stats in the queries.....bcz ex: index=x|stats count by y| table z ,y wont return any results ...but evenstats will work...bcz stats wont forward events .. replace your second query with first bcz mapping more events ---> less events will result in redundancy ... query is very big try to reduce it ...use tags for specific events --give your own naming conventions

Index=X earliest=-1d maxsearches=42 filter_result!=DENIED | eventstats earliest(_time) as blocktime by cs_host | eval nice_time = strftime(first_event,"%F %T")| eval check_from = relative_time(first_event, "-d") | eval check_from = strftime(check_from,"%F %T") |eval acesstimes = strftime(_time,"%F %T") | transaction cs_host | dedup cs_uri_path | table cs_host, cs_uri_path, cs_uri_query, acesstimes, cs_username | join 3rd Query ......

0 Karma

Splunk Employee
Splunk Employee

What's the overall goal here?

0 Karma

Path Finder

Are you sure that your join over the subsearch is correct?

  1. According to the join reference the inner join is the default behaviour. If their are no matches, there won't be any results (try a left join for debugging)
  2. Make sure that your subsearch doesn't have more than 10000 results, otherwise the results will be cut (and therefore may not match anymore, see 1.)
  3. Try to avoid using subsearches since they bring at least n²-complexity into your search an make it slow and error-prone
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!