Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

mvindex not working trying to extract time of firewall events

pscheidl
New Member
‎08-07-2014 03:07 AM

Hi guys,

I have a search which finds DHCP and Firewallevents with the same src_ip.

It works perfectly fine, but gives me multiple DHCP events. Which is ok, but I want to limit my search to the first DHCP event which happened BEFORE the firewallevent. I thought i could just extract the time of the firewallevent with mvindex, but unfortunately, when I type
eval new_time=mvindex(_time, -1) I get nothing, and when I type eval new_time=mvindex(_time, 0), I get all 3 timestamps of the 3 events.
I also tested this out with other fields, because is suspected that maybe _time was causing me trouble, but I have the same problems with IP fields, status fields etc.

This does not make sense to me, according to the docs I am correctly using the command, and it should just return the testtime at the index that I specified.

Does anyone have an idea why the mvindex is not working?

Thanks in advance!

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎08-07-2014 06:50 AM

I am expecting that Firewall events and DHCP events have different sourcetypes say "Firewall" and "DHCP", So try something like this ( update value of sourcetype as per yours.

index=test [search index=test dest_ip=xx.xx.xx.xx | return src_ip] | reverse| streamstats current=f window=1 first(sourcetype) as prevSourcetype | eval sno=case(sourcetype="Firewall",1,prevSourcetype="Firewall",1,1=1,0) | where sno=1 | reverse
0 Karma
Reply

pscheidl
New Member
‎08-07-2014 06:15 AM

The idea was to get one timestamp with mvindex, then calculate a given time, and use this time to specify earliest, for example. I hope this makes at least a little sense, I know it is a bit confusing..

0 Karma
Reply

pscheidl
New Member
‎08-07-2014 06:14 AM

I can not post the real logs, but will post something similar so we can maybe work this out.

index=test [search index=test dest_ip=xx.xx.xx.xx | return src_ip]

This is my search, which gives the expected results. The subsearch returns a Firewallevent, the outer search returns all DHCP-Events with the same src_ip.

Since I want to identify who got the SourceIP before the firewallevent occured, I would need to only get the last DHCP event before the Timestamp of the Firewallevent. So basically a tail/head. Unfortunately I can not seem to do this, and get all the DHCP events.

0 Karma
Reply

somesoni2
Revered Legend
‎08-07-2014 06:09 AM

mvindex doesn't work with negative index. For a multivalued field with 'N' items, the index will go from 0 to 'N-1'. It seems like you're trying to get the last events time from a list of events and if that's the case, streamstats command is the one you need. Would you mind posting your full search query and sample logs.

0 Karma
Reply

pscheidl
New Member
‎08-07-2014 04:56 AM

I am not doing a transaction, but a subsearch with a return at the end. But this should not interfere with the mvindex if the timefield is multivalued, or am I wrong?

0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-07-2014 04:54 AM

mvindex() works on multi-valued fields in a single event, but is seems that you are working with several separate events. Are you doing this through a transaction?

0 Karma
Reply
Get Updates on the Splunk Community!

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...