Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

rare command

Shakira1
Explorer
‎11-05-2023 04:33 AM

hello!

I have this search, and I want to add more parameters like time etc.

the thing is - when I'm using rare its show only the SHA256HashData and count

```index=myindex
| stats count by SHA256HashData
| rare SHA256HashData

any idea?

thanks! 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-05-2023 10:41 AM

Why did you not include all of that in the OP?  You could have had a solution many hours sooner.

index=myindex earliest=-24h
``` Count each hash value ```
| eventstats count by SHA256HashData
``` Find the hash value with the lowest count ```
| eventstats min(count) as minCount
``` Keep the hashes with the lowest count ```
| where count=minCount
| collect index=summary
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Shakira1
Explorer
‎11-06-2023 01:17 AM

when I run your search I got too many results ,

with rare I got only 10 results.

there is no options to use rare and add more fields to the table?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-06-2023 05:14 AM

Use the head command to limit the number of results.  The rare does not do what you want it to do because it discards fields and once fields are discarded they cannot be retrieved again.

index=myindex earliest=-24h
``` Count each hash value ```
| eventstats count by SHA256HashData
``` Find the hash value with the lowest count ```
| eventstats min(count) as minCount
``` Keep the hashes with the lowest count ```
| where count=minCount
| head 10
| collect index=summary
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Shakira1
Explorer
‎11-05-2023 07:00 AM

but I want to get the most unique SHA256HashData in the last 24h for example. and then fwd to summary index and start static about it, so for that I need to get more data

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-05-2023 06:54 AM

Both stats and rare are transforming commands, meaning only the fields used in or produced by the commands are available to later commands.  So the only fields available after stats are count and SHA256HashData; and the only fields available after rare are SHA256HashData, count, and percent.

To get additional fields out of stats, include them in the command.  To work around rare, use sort and tail.

index=myindex
| stats count, max(_time) as _time by SHA256HashData
| sort - SHA256HashData
| tail 10

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Related Topics
rare command
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...