Solved: help to filter data after a loadjob command

jip31 · ‎11-25-2019

hi
I use the scheduled search below

`winevent` (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND source="WinEventLog:Microsoft-Windows-Sysmon/Operational")
| fields host sourcetype source 
| stats dc(host) as host by sourcetype 
| sort -host

In my dashboard, I use a text box in order to be able to filter the results by host
So I call the scheduled search from my dashboard like this :
| loadjob savedsearch="admin:xxxxx:wineventbysourcetype"
| search host=$tok_filterhost$

The problem is that I can see my data but I am unable to filter by host
I succeed to filter by host if I put the stats command after the token filter :
| search host=$tok_filterhost$
| stats.....

But what I need is to keep the stats command in the scheduled search
so what is missing in my search please??

woodcock · ‎11-26-2019

Everything should work as-is with the possible exception of sort - host which is trimming your results set to 1000. Try switching to sort 0 - host and all should be good.

View solution in original post

woodcock · ‎11-26-2019

Everything should work as-is with the possible exception of sort - host which is trimming your results set to 1000. Try switching to sort 0 - host and all should be good.

jip31 · ‎11-27-2019

ok thanks

gcusello · ‎11-26-2019

Hi @jip31,
I tried something like your search
main search

index=wineventlog | head 3000

second search

| loadjob 1574769641.9641 | search NOT EventCode=4672 | stats count BY EventCode

and it's running!

Could you share the output of the loadjob command?

Ciao.
Giuseppe

jip31 · ‎11-26-2019

HI
like I said i am fonding a solution for thats working with stats in the search and not after loadjob
sorry no output for the loadjob command, I have just any results

gcusello · ‎11-26-2019

Hi @jip31,
In my example it runs:
main search

index=wineventlog | head 3000 | stats count BY EventCode

second search

| loadjob 1574770940.9780 | search EventCode=4624

Anyway, did you explored the opportunity to use summary indexes?
you can archive the output of searches using collect or tscollect.

Ciao.
Giuseppe

jip31 · ‎11-26-2019

Yes I think its something like this and if you see my example its almost what I am doing
But, the problem is that I cant done :
| stats dc(host) as host by sourcetype host

It means that its impossible to stats host and to do a filter.... by host

gcusello · ‎11-26-2019

Hi @jip31,
I don't know if this is the problem, but you cannot use the same field name in as and in by.

| stats dc(host) as host by sourcetype host

Anyway i tried a search
main search

index=wineventlog | head 3000 | stats dc(EventCode) As ec count BY Dominio_account EventCode

second search

| loadjob 1574775632.10229 | stats count BY Dominio_account

Ciao.

jip31 · ‎11-26-2019

thanks but its no exactly correspond to my expectations

gcusello · ‎11-26-2019

Hi @jip31,
what's the problem: to use host two times in stats or other?
Thi isn't possible also in a normal stats command.

You could run:

 `winevent` (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND source="WinEventLog:Microsoft-Windows-Sysmon/Operational")
 | fields host sourcetype source 
 | stats dc(host) as dc_host by sourcetype host
 | sort -host

Ciao.
Giuseppe

help to filter data after a loadjob command

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?