- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is my current stats search not producing any r...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can anyone tell me why this comment is not working? I have all the mentioned fields in my data, but when I add stats max(_time) as last_time by host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action |dedup last_time,host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action
I'm not getting any result. Here is my full search:
src=122.15.158.173 sourcetype=cisco:asa "Deny*" |stats max(_time) as last_time by host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action |dedup last_time,host,sourcetype,action,dest,dest_ip,dest_port,dev,index,msg,src,src_ip,src_port,vendor_action
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two things:
- You don't need the dedup afterwards because you are already summarising with stats
- If any of the fields in the stats group by clause does not exist or is empty you are going to have problems.
Try this first to see if the are any events matching your requirements with data in all the required fields:
src=122.15.158.173 sourcetype=cisco:asa "Deny*"
host=*
sourcetype=*
action=*
dest=*
dest_ip=*
dest_port=*
dev=*
index=*
msg=*
src=*
src_ip=*
src_port=*
vendor_action=*
If that works then append the stats afterwards:
| stats max(_time) as last_time by host, sourcetype, action, dest, dest_ip, dest_port, dev, index, msg, src, src_ip, src_port, vendor_action
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
as i checked, "sourcetype=cisco:asa" events are not having a field "dev"
tried it without "dev" and its working fine..
src=122.15.158.173 sourcetype=cisco:asa "Deny*"|stats max(_time) as last_time by host,sourcetype,action,dest,dest_ip,dest_port,index,msg,src,src_ip,src_port,vendor_action |dedup last_time,host,sourcetype,action,dest,dest_ip,dest_port,index,msg,src,src_ip,src_port,vendor_action
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, it has Dev field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oh ok. i thought cisco:asa logs may have same format. seems your environment is different. ok, thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two things:
- You don't need the dedup afterwards because you are already summarising with stats
- If any of the fields in the stats group by clause does not exist or is empty you are going to have problems.
Try this first to see if the are any events matching your requirements with data in all the required fields:
src=122.15.158.173 sourcetype=cisco:asa "Deny*"
host=*
sourcetype=*
action=*
dest=*
dest_ip=*
dest_port=*
dev=*
index=*
msg=*
src=*
src_ip=*
src_port=*
vendor_action=*
If that works then append the stats afterwards:
| stats max(_time) as last_time by host, sourcetype, action, dest, dest_ip, dest_port, dev, index, msg, src, src_ip, src_port, vendor_action
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
