Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

help to filter data after a loadjob command

jip31
Motivator
‎11-25-2019 10:51 PM

hi
I use the scheduled search below

`winevent` (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND source="WinEventLog:Microsoft-Windows-Sysmon/Operational")
| fields host sourcetype source 
| stats dc(host) as host by sourcetype 
| sort -host

In my dashboard, I use a text box in order to be able to filter the results by host
So I call the scheduled search from my dashboard like this :
| loadjob savedsearch="admin:xxxxx:wineventbysourcetype"
| search host=$tok_filterhost$

The problem is that I can see my data but I am unable to filter by host
I succeed to filter by host if I put the stats command after the token filter :
| search host=$tok_filterhost$
| stats.....

But what I need is to keep the stats command in the scheduled search
so what is missing in my search please??

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-26-2019 03:45 PM

Everything should work as-is with the possible exception of sort - host which is trimming your results set to 1000. Try switching to sort 0 - host and all should be good.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-26-2019 03:45 PM

Everything should work as-is with the possible exception of sort - host which is trimming your results set to 1000. Try switching to sort 0 - host and all should be good.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-27-2019 10:00 PM

ok thanks

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-26-2019 04:08 AM

Hi @jip31,
I tried something like your search
main search

index=wineventlog | head 3000

second search

| loadjob 1574769641.9641 | search NOT EventCode=4672 | stats count BY EventCode

and it's running!

Could you share the output of the loadjob command?

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-26-2019 04:17 AM

HI
like I said i am fonding a solution for thats working with stats in the search and not after loadjob
sorry no output for the loadjob command, I have just any results

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-26-2019 04:24 AM

Hi @jip31,
In my example it runs:
main search

index=wineventlog | head 3000 | stats count BY EventCode

second search

| loadjob 1574770940.9780 | search EventCode=4624

Anyway, did you explored the opportunity to use summary indexes?
you can archive the output of searches using collect or tscollect.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-26-2019 04:35 AM

Yes I think its something like this and if you see my example its almost what I am doing
But, the problem is that I cant done :
| stats dc(host) as host by sourcetype host

It means that its impossible to stats host and to do a filter.... by host

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-26-2019 05:44 AM

Hi @jip31,
I don't know if this is the problem, but you cannot use the same field name in as and in by.

| stats dc(host) as host by sourcetype host

Anyway i tried a search
main search

index=wineventlog | head 3000 | stats dc(EventCode) As ec count BY Dominio_account EventCode

second search

| loadjob 1574775632.10229 | stats count BY Dominio_account

Ciao.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎11-26-2019 06:05 AM

thanks but its no exactly correspond to my expectations

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-26-2019 06:14 AM

Hi @jip31,
what's the problem: to use host two times in stats or other?
Thi isn't possible also in a normal stats command.

You could run:

 `winevent` (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND source="WinEventLog:Microsoft-Windows-Sysmon/Operational")
 | fields host sourcetype source 
 | stats dc(host) as dc_host by sourcetype host
 | sort -host

Ciao.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...