Splunk Search

Why is my current stats search not producing any results?

New Member

Hi,

Can anyone tell me why this comment is not working? I have all the mentioned fields in my data, but when I add stats max(_time) as last_time by host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action |dedup last_time,host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action
I'm not getting any result. Here is my full search:

src=122.15.158.173 sourcetype=cisco:asa "Deny*" |stats max(_time) as last_time by host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action |dedup last_time,host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Two things:

  • You don't need the dedup afterwards because you are already summarising with stats
  • If any of the fields in the stats group by clause does not exist or is empty you are going to have problems.

Try this first to see if the are any events matching your requirements with data in all the required fields:

src=122.15.158.173 sourcetype=cisco:asa "Deny*" 
    host=* 
    sourcetype=*
    action=* 
    dest=* 
    dest_ip=* 
    dest_port=* 
    dev=* 
    index=* 
    msg=* 
    src=* 
    src_ip=* 
    src_port=* 
    vendor_action=* 

If that works then append the stats afterwards:

| stats max(_time) as last_time by host, sourcetype, action, dest, dest_ip, dest_port, dev, index, msg, src, src_ip, src_port, vendor_action

View solution in original post

Champion

as i checked, "sourcetype=cisco:asa" events are not having a field "dev"

tried it without "dev" and its working fine..
src=122.15.158.173 sourcetype=cisco:asa "Deny*"|stats max(time) as lasttime by host,sourcetype,action,dest,destip,destport,index,msg,src,srcip,srcport,vendoraction |dedup lasttime,host,sourcetype,action,dest,destip,destport,index,msg,src,srcip,srcport,vendor_action

0 Karma

New Member

No, it has Dev field.

0 Karma

Champion

oh ok. i thought cisco:asa logs may have same format. seems your environment is different. ok, thanks.

0 Karma

SplunkTrust
SplunkTrust

Two things:

  • You don't need the dedup afterwards because you are already summarising with stats
  • If any of the fields in the stats group by clause does not exist or is empty you are going to have problems.

Try this first to see if the are any events matching your requirements with data in all the required fields:

src=122.15.158.173 sourcetype=cisco:asa "Deny*" 
    host=* 
    sourcetype=*
    action=* 
    dest=* 
    dest_ip=* 
    dest_port=* 
    dev=* 
    index=* 
    msg=* 
    src=* 
    src_ip=* 
    src_port=* 
    vendor_action=* 

If that works then append the stats afterwards:

| stats max(_time) as last_time by host, sourcetype, action, dest, dest_ip, dest_port, dev, index, msg, src, src_ip, src_port, vendor_action

View solution in original post