Solved: Why is the stats command wiping out a custom extra...

_dave_b · ‎12-04-2015

Hello. if I run a search like this:

"..." | dedup 2 correlationId | eval EpochTime = _time | eval nowTimeEpoch=time() | eval minTime=0 | eval maxTime=1 | stats min(EpochTime) as minTime  max(EpochTime) as maxTime | table minTime, maxTime, correlationId

I get epoch time values for minTime and maxTime, but nothing for the correlationId, which is a custom field extracted by a regular expression.

If I change the search by removing the stats component, I get a value for correlationId, and default dummy values 0 and 1 for minTime and maxTime. Apparently when stats is run, it does something to wipe out the value for correlationId. Why does this happen, and how can I get the stats functions to work harmoniously so that I can parse and see all the values?

Thanks for your help

sundareshr · ‎12-04-2015

Try this

..| stats min(EpochTime) as minTime max(EpochTime) as maxTime by correlationId

View solution in original post

sundareshr · ‎12-04-2015

Try this

..| stats min(EpochTime) as minTime max(EpochTime) as maxTime by correlationId

_dave_b · ‎12-04-2015

That does it! thanks for the quick reply

jeffland · ‎12-07-2015

Did you understand WHY your field is not available after a stats command? You should have a look here.

Why is the stats command wiping out a custom extracted field from my search results?

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector