I have tried creating a Search macro with a stats command and *any* of the stats arguments return with an "Error in 'stats' command: The argument 'last(field)' is invalid." It always errors out on the first argument in the stats command list.
##So if I use the line below, I get the error @ dc(fielda):
stats dc(fielda) as count, last(fieldb) as B ... by field_id
##If I use the line below, I instead get the error @ last(fieldb):
stats last(fieldb) as B, dc(fielda) as count ... by field_id
If I use the Stats command in a regular search, it works fine, but if I substitute the macro it returns the error. Example ...
index="index" fieldx="xxx" | `my_macro` | table *
Ultimately my goal is to create a 'transaction-like' macro that will organize my events.
Yes I know I can just use Transaction; but in our circumstances; doing a stats-based
psuedo transaction is a lot faster; and the Macro would be cleaner for the splunk users.
##My stats Command [name = create_transaction]
stats dc(session_status) as session_status_count,
values(session_status) as session_status,
last(src_mac) as src_mac,
last(src_ip) as src_ip,
last(dest_ip) as dest_ip,
last(user) as user,
last(user_group) as user_group,
last(src_nt_group) as src_nt_group,
last(src_country_color) as src_country_color,
last(_time) as session_start_time,
first(_time) as session_end_time,
last(date_wday_short) as www,
last(date_month_num) as MM,
last(date_year) as YYYY,
last(date_mday) as dd,
last(src_nt_host) as src_nt_host,
last(src_os_software) as src_os_software,
last(src_os_version) as src_os_version,
last(src_country) as src_country,
last(src_region) as src_region,
last(src_city) as src_city,
by session_id
##Search Command
user=$user$ | `create_transaction` |
strcat www ": " MM "." dd "." YYYY fullDate |
eval time=strftime(session_start_time,"%H:%M") |
eval active_duration=tostring((now()-session_start_time),"duration") |
eval timeDelta=tostring((session_end_time-session_start_time),"duration") |
eval duration=if(session_status="logout",timeDelta,active_duration) |
table session_id, user, time, fullDate, duration, src_ip, dest_ip, src_mac,
src_nt_host, src_os_software, src_os_version, src_country, src_region, src_city |
sort -session_id
... View more