Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

mvindex not working trying to extract time of firewall events

pscheidl
New Member
‎08-07-2014 03:07 AM

Hi guys,

I have a search which finds DHCP and Firewallevents with the same src_ip.

It works perfectly fine, but gives me multiple DHCP events. Which is ok, but I want to limit my search to the first DHCP event which happened BEFORE the firewallevent. I thought i could just extract the time of the firewallevent with mvindex, but unfortunately, when I type
eval new_time=mvindex(_time, -1) I get nothing, and when I type eval new_time=mvindex(_time, 0), I get all 3 timestamps of the 3 events.
I also tested this out with other fields, because is suspected that maybe _time was causing me trouble, but I have the same problems with IP fields, status fields etc.

This does not make sense to me, according to the docs I am correctly using the command, and it should just return the testtime at the index that I specified.

Does anyone have an idea why the mvindex is not working?

Thanks in advance!

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎08-07-2014 06:50 AM

I am expecting that Firewall events and DHCP events have different sourcetypes say "Firewall" and "DHCP", So try something like this ( update value of sourcetype as per yours.

index=test [search index=test dest_ip=xx.xx.xx.xx | return src_ip] | reverse| streamstats current=f window=1 first(sourcetype) as prevSourcetype | eval sno=case(sourcetype="Firewall",1,prevSourcetype="Firewall",1,1=1,0) | where sno=1 | reverse
0 Karma
Reply

pscheidl
New Member
‎08-07-2014 06:15 AM

The idea was to get one timestamp with mvindex, then calculate a given time, and use this time to specify earliest, for example. I hope this makes at least a little sense, I know it is a bit confusing..

0 Karma
Reply

pscheidl
New Member
‎08-07-2014 06:14 AM

I can not post the real logs, but will post something similar so we can maybe work this out.

index=test [search index=test dest_ip=xx.xx.xx.xx | return src_ip]

This is my search, which gives the expected results. The subsearch returns a Firewallevent, the outer search returns all DHCP-Events with the same src_ip.

Since I want to identify who got the SourceIP before the firewallevent occured, I would need to only get the last DHCP event before the Timestamp of the Firewallevent. So basically a tail/head. Unfortunately I can not seem to do this, and get all the DHCP events.

0 Karma
Reply

somesoni2
Revered Legend
‎08-07-2014 06:09 AM

mvindex doesn't work with negative index. For a multivalued field with 'N' items, the index will go from 0 to 'N-1'. It seems like you're trying to get the last events time from a list of events and if that's the case, streamstats command is the one you need. Would you mind posting your full search query and sample logs.

0 Karma
Reply

pscheidl
New Member
‎08-07-2014 04:56 AM

I am not doing a transaction, but a subsearch with a return at the end. But this should not interfere with the mvindex if the timefield is multivalued, or am I wrong?

0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-07-2014 04:54 AM

mvindex() works on multi-valued fields in a single event, but is seems that you are working with several separate events. Are you doing this through a transaction?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...