Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

mvindex not working trying to extract time of firewall events

pscheidl
New Member
‎08-07-2014 03:07 AM

Hi guys,

I have a search which finds DHCP and Firewallevents with the same src_ip.

It works perfectly fine, but gives me multiple DHCP events. Which is ok, but I want to limit my search to the first DHCP event which happened BEFORE the firewallevent. I thought i could just extract the time of the firewallevent with mvindex, but unfortunately, when I type
eval new_time=mvindex(_time, -1) I get nothing, and when I type eval new_time=mvindex(_time, 0), I get all 3 timestamps of the 3 events.
I also tested this out with other fields, because is suspected that maybe _time was causing me trouble, but I have the same problems with IP fields, status fields etc.

This does not make sense to me, according to the docs I am correctly using the command, and it should just return the testtime at the index that I specified.

Does anyone have an idea why the mvindex is not working?

Thanks in advance!

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎08-07-2014 06:50 AM

I am expecting that Firewall events and DHCP events have different sourcetypes say "Firewall" and "DHCP", So try something like this ( update value of sourcetype as per yours.

index=test [search index=test dest_ip=xx.xx.xx.xx | return src_ip] | reverse| streamstats current=f window=1 first(sourcetype) as prevSourcetype | eval sno=case(sourcetype="Firewall",1,prevSourcetype="Firewall",1,1=1,0) | where sno=1 | reverse
0 Karma
Reply

pscheidl
New Member
‎08-07-2014 06:15 AM

The idea was to get one timestamp with mvindex, then calculate a given time, and use this time to specify earliest, for example. I hope this makes at least a little sense, I know it is a bit confusing..

0 Karma
Reply

pscheidl
New Member
‎08-07-2014 06:14 AM

I can not post the real logs, but will post something similar so we can maybe work this out.

index=test [search index=test dest_ip=xx.xx.xx.xx | return src_ip]

This is my search, which gives the expected results. The subsearch returns a Firewallevent, the outer search returns all DHCP-Events with the same src_ip.

Since I want to identify who got the SourceIP before the firewallevent occured, I would need to only get the last DHCP event before the Timestamp of the Firewallevent. So basically a tail/head. Unfortunately I can not seem to do this, and get all the DHCP events.

0 Karma
Reply

somesoni2
Revered Legend
‎08-07-2014 06:09 AM

mvindex doesn't work with negative index. For a multivalued field with 'N' items, the index will go from 0 to 'N-1'. It seems like you're trying to get the last events time from a list of events and if that's the case, streamstats command is the one you need. Would you mind posting your full search query and sample logs.

0 Karma
Reply

pscheidl
New Member
‎08-07-2014 04:56 AM

I am not doing a transaction, but a subsearch with a return at the end. But this should not interfere with the mvindex if the timefield is multivalued, or am I wrong?

0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-07-2014 04:54 AM

mvindex() works on multi-valued fields in a single event, but is seems that you are working with several separate events. Are you doing this through a transaction?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...