Splunk Search

Follow on from http://splunk-base.splunk.com/answers/70576/break-a-search-down-per-day

robK123
Explorer

It will not let me post a comment on the http://splunk-base.splunk.com/answers/70576/break-a-search-down-per-day answer as it says it is too many letters so I have to create a new post (sorry if there is a way to post the comment but could not see how!)

I have created the below search, but I get the following error when I try to run the search but I can not see what I have done wrong.

"Error in 'stats' command: The number of wildcards between field specifier '' and rename specifier 'daily_failure_count' do not match. Note: empty field specifiers implies all fields, e.g. sum() == sum()"

source="secure" sshd "pam_ldap: error trying to bind as user"|top uid limit=8 | fields – percent | bin _time span=1d | stats count sshd "pam_ldap: error trying to bind as user" AS daily_failure_count by uid _time | where daily_failure_count =>5 | table_time uid daily_failure_count

Tags (3)
0 Karma
1 Solution

Drainy
Champion

well you need to run stats against a field, you can't just run it against a series of words. Just remove the text and run it as a stats count.

E.g.

source="secure" sshd "pam_ldap: error trying to bind as user"|top uid limit=8 | fields – percent | bin _time span=1d | stats count AS daily_failure_count by uid _time | where daily_failure_count =>5 | table_time uid daily_failure_count

View solution in original post

0 Karma

Drainy
Champion

well you need to run stats against a field, you can't just run it against a series of words. Just remove the text and run it as a stats count.

E.g.

source="secure" sshd "pam_ldap: error trying to bind as user"|top uid limit=8 | fields – percent | bin _time span=1d | stats count AS daily_failure_count by uid _time | where daily_failure_count =>5 | table_time uid daily_failure_count
0 Karma

Drainy
Champion

The most important thing to remember is that when you pipe to a command you pass the results of the previous command over, so if you do a statistical command that strips away the time element then you cannot do anything against time in the following commands (well, unless you do some other magic but lets not overcomplicate at the moment 😉 ) Good luck!

0 Karma

robK123
Explorer

Thanks very much it now works!

I still have lots to learn about splunk 🙂 although I now know a bit more about Top and bucket.

0 Karma

Drainy
Champion

Sorry, I just corrected the error but didn't really read the search. Think it through, you are using top which does a count - how can you then bucket this by time? there is no time element to it anymore as each result has been summarised with a count. Remove the top. Perhaps do something like this; SEARCHTERMS | bin _time span=1d | stats count AS daily_failure_count by uid _time | where daily_failure_count>4 | table_time uid daily_failure_count | top uid limit=8

0 Karma

robK123
Explorer

Thanks it now lets me run it but it now does not return any results and says "No matching fields exist"

But it does say 147 matching events but it will not show them.

But I know there should be results to see.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...