Solved: stats with where clause not filtering

thailam · ‎12-29-2020

Good day everyone,

Ran into following problem,

The query
index=source | eval time=strftime(_time, "%+)

|stats

max(time)

values(from) as Sender,

values(rcpt) as Recipients,

value(subject) as Subject

values(hops_ip) as SenderIP

values (ref) as Reference

by ref |where like(senderIP, "10.%)

Not sure where went wrong, senderIP which is not 10.% is still showing. I did noticed that the ref value appears multiple times for different transaction, that could be the cause? Happy new year in advance!

to4kawa · ‎12-29-2020

your SenderIP is multivalue. it can't work with where like()

If you only know the logs, you should make single value from SenderIP.

View solution in original post

thailam · ‎01-03-2021

Due to the log "ref" value may sometime appears multiple times, is there a way i am able to filter by "ref" together with "hdr_mid"?

scelikok · ‎12-29-2020

Hi @thailam,

You should better filter hops_ip before stats like below;

index=source hops_ip="10.0.0.0/8"
| stats max(_time) as _time values(from) as Sender values(rcpt) as Recipients values(subject) as Subject values(hops_ip) as SenderIP values(ref) as Reference by ref

If this reply helps you an upvote and "Accept as Solution" is appreciated.

thailam · ‎12-29-2020

Hi Scelikok,

Just tried that, it works however the sender and recipients is now empty 😕

scelikok · ‎12-30-2020

Only reason maybe "from" and "rcpt" field names are wrong. Can you please check is there is something wrong about case or typo. Do you see these fields on "Interesting Fields" list?

If this reply helps you an upvote and "Accept as Solution" is appreciated.

thailam · ‎12-30-2020

Hi Scelikok

Yes that's correct, its not showing right after i've moved the where clause to the top.

thailam · ‎12-29-2020

The log has for example "ref" in the log sometime may show different IP. Is anyway i can achieve something similar and to filter away unwanted IP? Thanks!

thailam · ‎12-29-2020

I have tried the following, however the IP which is not "10%" still showing. Thanks sincerely!

to4kawa · ‎12-29-2020

your SenderIP is multivalue. it can't work with where like()

If you only know the logs, you should make single value from SenderIP.

thailam · ‎01-03-2021

I think this is correct, where can only filter a single value. Have tried, whenever there is only single value it correctly removes it.

to4kawa · ‎12-29-2020

field name is case-sensitive, so senderIP is not same with SenderIP.

index=source 
|stats max(_time) as _time, values(from) as Sender, values(rcpt) as Recipients, values(subject) as Subject, values(hops_ip) as SenderIP　by ref |where like(SenderIP, "10.%") | rename ref as Reference

Also, there are too many minor mistakes.

stats with where clause not filtering

stats

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...