What am I doing wrong with the aggregate macro syn...

DF10569 · ‎06-09-2016

Search I am trying to use:

index="wineventlog" (EventCode=4656 Accesses=DELETE) OR EventCode=1102 OR EventCode=4670 OR EventCode=564  |  `get_date(now())` | `aggregate("Endpoint - FIM - Rule".date.Object_Name)` |  eval _time=now() | eval orig_raw=_raw | fields - _raw

If I leave in the macro

`aggregate("Endpoint - FIM - Rule".date.Object_Name)`

I receive an error stating aggregate(1), which I haven't been able to find any information on what my syntax issue is.

If I take out the aggregate macro, the search will bring back results.

Two items that i need help with:

What am I doing wrong with the aggregate macro syntax?
Even though the search brings back results, notable events are not created.

Thank you!

sundareshr · ‎06-09-2016

Try changing the double quotes around your fieldname to single quotes.... 'Endpoint - FIM - Rule' .Or try defining a variable and passing that variable to the macro. | eval agg_input='Endpoint - FIM - Rule'.date.Object_Name | aggregate(agg_input) Not sure if either will work, but worth a try.

DF10569 · ‎06-22-2016

Thank you for you help, but I tried both options and still received the same error.

What am I doing wrong with the aggregate macro syntax in my correlation search to create notable events?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...