Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why is my current stats search not producing a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can anyone tell me why this comment is not working? I have all the mentioned fields in my data, but when I add stats max(_time) as last_time by host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action |dedup last_time,host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action
I'm not getting any result. Here is my full search:
src=122.15.158.173 sourcetype=cisco:asa "Deny*" |stats max(_time) as last_time by host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action |dedup last_time,host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two things:
- You don't need the dedup afterwards because you are already summarising with stats
- If any of the fields in the stats group by clause does not exist or is empty you are going to have problems.
Try this first to see if the are any events matching your requirements with data in all the required fields:
src=122.15.158.173 sourcetype=cisco:asa "Deny*"
host=*
sourcetype=*
action=*
dest=*
dest_ip=*
dest_port=*
dev=*
index=*
msg=*
src=*
src_ip=*
src_port=*
vendor_action=*
If that works then append the stats afterwards:
| stats max(_time) as last_time by host, sourcetype, action, dest, dest_ip, dest_port, dev, index, msg, src, src_ip, src_port, vendor_action
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
as i checked, "sourcetype=cisco:asa" events are not having a field "dev"
tried it without "dev" and its working fine..
src=122.15.158.173 sourcetype=cisco:asa "Deny*"|stats max(_time) as last_time by host,sourcetype,action,dest,dest_ip,dest_port,index,msg,src,src_ip,src_port,vendor_action |dedup last_time,host,sourcetype,action,dest,dest_ip,dest_port,index,msg,src,src_ip,src_port,vendor_action
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, it has Dev field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oh ok. i thought cisco:asa logs may have same format. seems your environment is different. ok, thanks.
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two things:
- You don't need the dedup afterwards because you are already summarising with stats
- If any of the fields in the stats group by clause does not exist or is empty you are going to have problems.
Try this first to see if the are any events matching your requirements with data in all the required fields:
src=122.15.158.173 sourcetype=cisco:asa "Deny*"
host=*
sourcetype=*
action=*
dest=*
dest_ip=*
dest_port=*
dev=*
index=*
msg=*
src=*
src_ip=*
src_port=*
vendor_action=*
If that works then append the stats afterwards:
| stats max(_time) as last_time by host, sourcetype, action, dest, dest_ip, dest_port, dev, index, msg, src, src_ip, src_port, vendor_action
What’s New & Next in Splunk SOAR
Your Voice Matters! Help Us Shape the New Splunk Lantern Experience
September Community Champions: A Shoutout to Our Contributors!
