cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
bradw2021
Engager
Member since: ‎07-25-2022
‎07-27-2022
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-25-2022
Activity Feed
View All

Re: tstats count as output to eval subsearch

by in Splunk Search
‎07-27-2022 12:06 PM
‎07-27-2022 12:06 PM
Thank you @schose - Will play some more with the return function, as the map command is slooooooooooow and defeats the benefit of using the tstats/TERM search for a rapid count ... View more

Re: tstats count as output to eval subsearch

by in Splunk Search
‎07-27-2022 12:04 PM
‎07-27-2022 12:04 PM
Was able to add the map command output to the main search output by appending a bunch of eval commands to the map search. Thank you @ITWhisperer  ... View more

Re: tstats count as output to eval subsearch

by in Splunk Search
‎07-26-2022 09:20 AM
‎07-26-2022 09:20 AM
Thank you @ITWhisperer - This could potentially be a part of the solution, but seems to be focused on passing a variable from the main search to a secondary search, whereas I am trying to take secondary search results (Sender_Count below) and add them to the table generated by the main search, e.g. Before: _time Sender_Address Subject Recipient 7/26/2022 12:16:00 jdoe@acme.tld Please sign this document user1@mycorp.tld 7/26/2022 12:16:05 jane.doe@hacker.tld You can trust me user2@mycorp.tld 7/26/2022 12:16:10 benign@mycorp.tld You're fired user3@mycorp.tld   After: _time Sender_Address Subject Recipient Sender_Count 7/26/2022 12:16:00 jdoe@acme.tld Please sign this document user1@mycorp.tld 1 7/26/2022 12:16:05 jane.doe@hacker.tld You can trust me user2@mycorp.tld 0 7/26/2022 12:16:10 benign@mycorp.tld You're fired user3@mycorp.tld 48 ... View more

How to use tstats count as output to eval subsearc...

by in Splunk Search
‎07-25-2022 05:15 PM
‎07-25-2022 05:15 PM
Have a search that returns emails of interest (possibly malicious). Trying to add a subsearch that will return a count of how many times each sender address has been seen in the last 30 days (regardless of the timeframe used in the main search). When using the search below, Splunk returns a "Error in eval command: Fields cannot be assigned a boolean result" error based on the eval command. The tstats command works fine independently. index=proofpoint | rex field=msg.header.reply-to{} ".*\<(?<Sender_Address>[a-zA-Z0-9\.\-\+]+@[a-zA-Z0-9\.\-]+)\>" | eval Sender_Count=[ | tstats count where index=proofpoint TERM($Sender_Address$) earliest=-30d@m latest=now] | table _time msg_header_from msg.header.reply-to{} Sender_Address Sender_Count   Don't worry about the sub-optimal email matching regex - just POC. Tried appendcols, too, with no luck. Is this possible? Thank you ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-27-2022 05:15 PM