Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Specified field missing from results:time

remy06
Contributor
‎03-11-2011 03:42 AM

I'm trying to group similar events in a search for linux audit events.I've managed to group them by the event time but the results listed the events according to the pid instead.

When I tried to sort them by time,it gaves me the error:
Specified field(s) missing from results: 'time'

Here is my search command:
source="auditd" auid=root OR uid=root OR auid=0 | transaction time | fillnull value="-" | stats values(Session_ID) ,values(type) ,values(path) ,values(time) by pid auid exe | sort time

"time" is a field extracted from the raw event.The current results gave me the pid & Session_ID in ascending order but I want to sort them by the time instead.

Tags (2)
0 Karma
Reply

remy06
Contributor
‎03-14-2011 02:48 AM

I've tried using this from your solution:

source="auditd" | transaction time | fillnull value="-" | stats values(Session_ID),values(type),values(path) by time pid auid exe | sort time

it displays my results nicely.However,it is in ascending order and when I tried to sort it in descending using "| sort -time", the results still reflect in ascending order.

0 Karma
Reply

remy06
Contributor
‎03-14-2011 03:22 AM

I like to display in descending so that the last event is shown first on the results table in splunk.When I use the "table" command in place of stats everything is nicely shown,but doesn't allow us to drill down by clicking on the event,thats why am considering to use stats..

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-11-2011 07:41 AM

The stats command removes all fields other than those explicitly named there. After stats processes data, there is no longer a field named time, though there is a multi-valued field called values(time). I don't know how you want to resolve what to do if there are multiple time values for each pid auid exe combination, but your choices are:

... | stats 
        values(Session_ID)
        values(type)
        values(path)
        last(time) as time 
      by pid auid exe
    | sort time

which will just include the last (i.e., earliest) time. You could use first(time) to use the first (i.e. most recent) time for any given pid auid exe combination. Or you could say:

... | stats 
        values(Session_ID)
        values(type)
        values(path)
      by time pid auid exe
    | sort time

which will create a separate entry for each value of time (in combination with each pid auid exe).

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...