Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search Macro error in Stats Command

jason_hubbard
Path Finder
‎03-31-2011 03:59 PM

I have tried creating a Search macro with a stats command and *any* of the stats arguments return with an "Error in 'stats' command: The argument 'last(field)' is invalid." It always errors out on the first argument in the stats command list.

##So if I use the line below, I get the error @ dc(fielda):
stats dc(fielda) as count, last(fieldb) as B ... by field_id
##If I use the line below, I instead get the error @ last(fieldb):
stats last(fieldb) as B, dc(fielda) as count ... by field_id

If I use the Stats command in a regular search, it works fine, but if I substitute the macro it returns the error. Example ...

index="index" fieldx="xxx" | `my_macro` | table *

Ultimately my goal is to create a 'transaction-like' macro that will organize my events. Yes I know I can just use Transaction; but in our circumstances; doing a stats-based psuedo transaction is a lot faster; and the Macro would be cleaner for the splunk users.

##My stats Command [name = create_transaction]
stats dc(session_status) as session_status_count,
values(session_status) as session_status,
last(src_mac) as src_mac, 
last(src_ip) as src_ip, 
last(dest_ip) as dest_ip, 
last(user) as user,
last(user_group) as user_group, 
last(src_nt_group) as src_nt_group,
last(src_country_color) as src_country_color,
last(_time) as session_start_time, 
first(_time) as session_end_time,
last(date_wday_short) as www,
last(date_month_num) as MM,
last(date_year) as YYYY,
last(date_mday) as dd, 
last(src_nt_host) as src_nt_host, 
last(src_os_software) as src_os_software, 
last(src_os_version) as src_os_version, 
last(src_country) as src_country, 
last(src_region) as src_region, 
last(src_city) as src_city, 
by session_id

##Search Command
user=$user$ | `create_transaction` | 
strcat www ": " MM "." dd "." YYYY fullDate |
eval time=strftime(session_start_time,"%H:%M") | 
eval active_duration=tostring((now()-session_start_time),"duration") | 
eval timeDelta=tostring((session_end_time-session_start_time),"duration") | 
eval duration=if(session_status="logout",timeDelta,active_duration) | 
table session_id, user, time, fullDate, duration, src_ip, dest_ip, src_mac,
src_nt_host, src_os_software, src_os_version, src_country, src_region, src_city | 
sort -session_id
Tags (4)
0 Karma
Reply

jason_hubbard
Path Finder
‎04-07-2011 04:55 PM

I found out what was causing my issue; a paragraph return. In my copying- and pasting back an forth to notepad, I guess I must have hit return once right after stats; and with the small input text box for Splunk I just assumed that line wrapped because the next word was long.

Now I can use this: index="xxx" `create_transaction(fieldname,searchterm)`

##[create_transaction]
$search_field$="$search_term$" | 
stats dc(session_status) as session_status_count, 
values(session_status) as session_status, 
last(src_mac) as src_mac, 
last(src_ip) as src_ip, 
last(dest_ip) as dest_ip, 
last(user) as user, 
last(user_group) as user_group, 
last(src_nt_group) as src_nt_group, 
last(src_country_color) as src_country_color, 
last(_time) as session_start_time, 
first(_time) as session_end_time, 
first(date_wday_short) as www, 
first(date_month_num) as MM, 
first(date_year) as YYYY, 
first(date_mday) as dd, 
last(src_nt_host) as src_nt_host, 
last(src_os_software) as src_os_software, 
last(src_os_version) as src_os_version, 
last(src_country) as src_country, 
last(src_region) as src_region, 
last(src_city) as src_city, by session_id | 
strcat www ": " MM "." dd "." YYYY fullDate | 
eval time=strftime(session_start_time,"%H:%M") | 
eval active_duration=tostring((now()-session_start_time),"duration") | 
eval timeDelta=tostring((session_end_time-session_start_time),"duration") | 
eval duration=if(session_status="logout",timeDelta,active_duration) | 
table session_id, user, time, fullDate, duration, src_ip, dest_ip, src_mac, src_nt_host,
src_os_software, src_os_version, src_country, src_region, src_city | 
sort -session_id

Note: In the actual macro, the line returns are removed (as I have learned).

Reply

hazekamp
Builder
‎03-31-2011 04:53 PM

Jason,

What version of Splunk are you using? I just tried reproducing this successfully in 4.2 like so:

## macros.conf
[mymacro]
definition = stats dc(sourcetype) as unique_sourcetypes, last(host) as last_host by source

## searches (both worked fine)
index=_internal | head 10 | `mymacro`
index=_internal | head 10 | `mymacro` | table *

Could you possible provide you macro definition? I noticed in the search above you didn't have backticks surrounding your macro...I'm assuming this was just in the example, or something escaped by answers?

0 Karma
Reply

hazekamp
Builder
‎04-04-2011 09:31 PM

Jason, You may want to open a ticket w/ support related to this. I replicated your configurations locally, and was not able to reproduce the error. Good Luck!

0 Karma
Reply

jason_hubbard
Path Finder
‎04-01-2011 11:36 AM

I edited my post. I'm using version 4.2. All of my attempts at creating the macro were through the GUI >Manager>Advanced Search>Search Macros.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...