Solved: how to use eval and stats first() (for dummies)

wsw70 · ‎06-25-2012

Hello,

Summary: how to get most recent vents for a given ID (for dummies)

I have data in the following format:

# OStime OSip OSreg OSstatus
1340406378 10.34.245.50 AG "NO TM"
1340406378 10.34.245.64 AG "NO TM"
1340406378 10.34.245.65 AG "NO TM"

OStime (which is correctly recognized as a timestamp) is unique to a set of data - there are many OStime entries in the index but I am only interested in the most recent one.

... | stats first(OStime)

correctly shows me the first instance of OStime

I then tried to do use it in an eval to get only data corresponding to this timestamp

... | eval mostrecent = stats first(OStime) | search OStime=mostrecent

This fails with a "Error in 'eval' command: The operator at 'first(OStime)' is invalid."

Thans in davnce for pointing me what is wrong, I looked at the examples in the documentation for eval, they look like mine except that they work 🙂

kristian_kolb · ‎06-25-2012

Hi,

I believe that there is a bit of confusion of concepts. stats operates on the whole set of events returned from the base search, and in your case you want to extract a single value from that set. eval creates a new field for all events returned in the search. Creating a new field called 'mostrecent' for all events is probably not what you intended.

Also if you look more closely at the documentation for eval, you will see that stats is not a valid function to eval.

Solution:
The default behaviour of Splunk is to return the most recent events first, so if you just want the find all events that have the same OStime as the most recent event you can use the head command in a subsearch;

sourcetype=your_sourcetype [search sourcetype=your_sourcetype | head 1 | fields + OStime]

The subsearch (within the square brackets) returns the field OStime (along with its value) for the most recent event (head 1) and adds it to the outer search, so that the main search reads something like;

sourcetype=your_sourcetype OStime=123345456

Hope this helps,

Kristian

View solution in original post

kristian_kolb · ‎06-25-2012

Hi,

I believe that there is a bit of confusion of concepts. stats operates on the whole set of events returned from the base search, and in your case you want to extract a single value from that set. eval creates a new field for all events returned in the search. Creating a new field called 'mostrecent' for all events is probably not what you intended.

Also if you look more closely at the documentation for eval, you will see that stats is not a valid function to eval.

Solution:
The default behaviour of Splunk is to return the most recent events first, so if you just want the find all events that have the same OStime as the most recent event you can use the head command in a subsearch;

sourcetype=your_sourcetype [search sourcetype=your_sourcetype | head 1 | fields + OStime]

The subsearch (within the square brackets) returns the field OStime (along with its value) for the most recent event (head 1) and adds it to the outer search, so that the main search reads something like;

sourcetype=your_sourcetype OStime=123345456

Hope this helps,

Kristian

wsw70 · ‎06-25-2012

Thanks for the very detailed answer. Everything is now clear.

Ayn · ‎06-25-2012

eval works on a per-event basis, so stats commands for operating on multiple events doesn't apply.

Splunk should already have indexed your data so that it uses OStime as its internal timestamp as well. In that case, getting the most recent event could be achieved like this:

... | head 1

wsw70 · ‎06-25-2012

Thanks! Together with Kristian's answer it is now clear

kristian_kolb · ‎06-25-2012

Hmm, it seems that I spend too long time editing my answers 🙂

how to use eval and stats first() (for dummies)

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...