I have tried creating a Search macro with a stats command and *any* of the stats arguments return with an "Error in 'stats' command: The argument 'last(field)' is invalid." It always errors out on the first argument in the stats command list.
##So if I use the line below, I get the error @ dc(fielda):
stats dc(fielda) as count, last(fieldb) as B ... by field_id
##If I use the line below, I instead get the error @ last(fieldb):
stats last(fieldb) as B, dc(fielda) as count ... by field_id
If I use the Stats command in a regular search, it works fine, but if I substitute the macro it returns the error. Example ...
index="index" fieldx="xxx" | `my_macro` | table *
Ultimately my goal is to create a 'transaction-like' macro that will organize my events. Yes I know I can just use Transaction; but in our circumstances; doing a stats-based psuedo transaction is a lot faster; and the Macro would be cleaner for the splunk users.
##My stats Command [name = create_transaction]stats dc(session_status) as session_status_count, values(session_status) as session_status, last(src_mac) as src_mac, last(src_ip) as src_ip, last(dest_ip) as dest_ip, last(user) as user, last(user_group) as user_group, last(src_nt_group) as src_nt_group, last(src_country_color) as src_country_color, last(_time) as session_start_time, first(_time) as session_end_time, last(date_wday_short) as www, last(date_month_num) as MM, last(date_year) as YYYY, last(date_mday) as dd, last(src_nt_host) as src_nt_host, last(src_os_software) as src_os_software, last(src_os_version) as src_os_version, last(src_country) as src_country, last(src_region) as src_region, last(src_city) as src_city, by session_id
##Search Commanduser=$user$ | `create_transaction` | strcat www ": " MM "." dd "." YYYY fullDate | eval time=strftime(session_start_time,"%H:%M") | eval active_duration=tostring((now()-session_start_time),"duration") | eval timeDelta=tostring((session_end_time-session_start_time),"duration") | eval duration=if(session_status="logout",timeDelta,active_duration) | table session_id, user, time, fullDate, duration, src_ip, dest_ip, src_mac, src_nt_host, src_os_software, src_os_version, src_country, src_region, src_city | sort -session_id
I found out what was causing my issue; a paragraph return. In my copying- and pasting back an forth to notepad, I guess I must have hit return once right after stats
; and with the small input text box for Splunk I just assumed that line wrapped because the next word was long.
Now I can use this: index="xxx" `create_transaction(fieldname,searchterm)`
##[create_transaction]
$search_field$="$search_term$" |
stats dc(session_status) as session_status_count,
values(session_status) as session_status,
last(src_mac) as src_mac,
last(src_ip) as src_ip,
last(dest_ip) as dest_ip,
last(user) as user,
last(user_group) as user_group,
last(src_nt_group) as src_nt_group,
last(src_country_color) as src_country_color,
last(_time) as session_start_time,
first(_time) as session_end_time,
first(date_wday_short) as www,
first(date_month_num) as MM,
first(date_year) as YYYY,
first(date_mday) as dd,
last(src_nt_host) as src_nt_host,
last(src_os_software) as src_os_software,
last(src_os_version) as src_os_version,
last(src_country) as src_country,
last(src_region) as src_region,
last(src_city) as src_city, by session_id |
strcat www ": " MM "." dd "." YYYY fullDate |
eval time=strftime(session_start_time,"%H:%M") |
eval active_duration=tostring((now()-session_start_time),"duration") |
eval timeDelta=tostring((session_end_time-session_start_time),"duration") |
eval duration=if(session_status="logout",timeDelta,active_duration) |
table session_id, user, time, fullDate, duration, src_ip, dest_ip, src_mac, src_nt_host,
src_os_software, src_os_version, src_country, src_region, src_city |
sort -session_id
Note: In the actual macro, the line returns are removed (as I have learned).
Jason,
What version of Splunk are you using? I just tried reproducing this successfully in 4.2 like so:
## macros.conf
[mymacro]
definition = stats dc(sourcetype) as unique_sourcetypes, last(host) as last_host by source
## searches (both worked fine)
index=_internal | head 10 | `mymacro`
index=_internal | head 10 | `mymacro` | table *
Could you possible provide you macro definition? I noticed in the search above you didn't have backticks surrounding your macro...I'm assuming this was just in the example, or something escaped by answers?
Jason, You may want to open a ticket w/ support related to this. I replicated your configurations locally, and was not able to reproduce the error. Good Luck!
I edited my post. I'm using version 4.2. All of my attempts at creating the macro were through the GUI >Manager>Advanced Search>Search Macros.