https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498160#M138769 <P>THanks @to4kawa , This is working for me.. Thanks for your help..</P> Mon, 18 May 2020 09:06:39 GMT hariram159 2020-05-18T09:06:39Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498145#M138754 <OL> <LI>Need to find out suspicious IPs and count of hits (sub search)</LI> <LI>use those IPs and do outer search in same time frame of each result of subsearch</LI> <LI>show fields of outer search and inner search count</LI> </OL> <P>index=trace type=success | eval temp=split(ip,",") |eval src=mvindex(temp,0) | search [search index=trace type=blocks | bin span=10m _time |eval temp=split(ip,",") |eval src=mvindex(temp,0)|stats count by src| where count &gt; 50| fields src] | table _time src route</P> <P>Now i am getting wrong results because ip is dynamic (once ip used by attacker may be genuine ip at other time, i am getting genuine results of suspicious IP used once - time picker is last 6 months.).. now i want to search outer query in same timeframe of each subsearch result (need to find ip of success type who are blocked more than 50 times at same time)</P> <P>Thanks in Advance.</P> Sat, 16 May 2020 19:54:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498145#M138754 hariram159 2020-05-16T19:54:02Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498146#M138755 <P>keep subsearch _time, create and use <CODE>earliest</CODE> and <CODE>latest</CODE></P> Sat, 16 May 2020 21:53:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498146#M138755 to4kawa 2020-05-16T21:53:56Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498147#M138756 <P>How? Can you please mention how to use with query.. I have already tried that but I will try again.. </P> Sun, 17 May 2020 03:46:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498147#M138756 hariram159 2020-05-17T03:46:15Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498148#M138757 <P>You're the only one who knows the logs, so you'll have to make the queries.</P> <P><A href="https://answers.splunk.com/answers/527487/can-we-pass-earliest-and-latest-time-in-subsearch.html">https://answers.splunk.com/answers/527487/can-we-pass-earliest-and-latest-time-in-subsearch.html</A></P> Sun, 17 May 2020 06:15:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498148#M138757 to4kawa 2020-05-17T06:15:25Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498149#M138758 <P>This doesn't helping me out as I have asked.. this is just time picker to search the events... What I want is to match the time for the results obtained in the sub search with the time in main search to ensure those are actual events occurred at that time.</P> Sun, 17 May 2020 06:29:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498149#M138758 hariram159 2020-05-17T06:29:25Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498150#M138759 <P>I agree with @to4kawa you need to use the <CODE>earliest</CODE> and <CODE>latest</CODE> properties in your searches.</P> <P>You may try using your search below and add values for earliest and latest as per the need, so they both run for same time range</P> <PRE><CODE>index=trace type=success earliest=-7d@d latest= now() | eval temp=split(ip,",") |eval src=mvindex(temp,0) | search [search index=trace type=blocks earliest=-7d@d latest= now() | bin span=10m _time |eval temp=split(ip,",") |eval src=mvindex(temp,0)|stats count by src| where count &gt; 50| fields src] | table _time src route </CODE></PRE> Sun, 17 May 2020 07:33:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498150#M138759 sanjeev543 2020-05-17T07:33:46Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498151#M138760 <P>This will run outer search and sub search at same time range but this is not I want. <BR /> Suppose 1.1.1.1 is suspicious ip returned by subsearch occurred at 4/16/2020 21:00:00 then outer search has to search for 1.1.1.1 around 4/16/2020 20:55:00 to 4/16/2020 21:05:00.. similarly for other results of subsearch. <BR /> What I am getting is 1.1.1.1 is getting searched across all the time and getting wrong results as it might be genuine ip other time</P> Sun, 17 May 2020 14:09:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498151#M138760 hariram159 2020-05-17T14:09:58Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498152#M138761 <P><CODE>How to do main search with same time frame of each result of subsearch</CODE></P> <P>Your comment is not the same as your question. Please correct as appropriate.</P> <P>and, you should use <CODE>earliest</CODE> and <CODE>latest</CODE></P> <P><CODE>This doesn't helping me out as I have asked..</CODE> <BR /> read carefully</P> Sun, 17 May 2020 21:50:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498152#M138761 to4kawa 2020-05-17T21:50:01Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498153#M138762 <P>I hope I have posted with right title only... "Main search should happen at same time <STRONG>for each result of subsearch</STRONG>"</P> Mon, 18 May 2020 03:31:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498153#M138762 hariram159 2020-05-18T03:31:26Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498154#M138763 <P>sample(try time picker <EM>24hours ago</EM><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <PRE><CODE>index=_internal sourcetype=splunkd_ui_access [ search index=_audit "_internal" | eval earliest=relative_time(_time,"-5min@min"), latest=relative_time(_time,"+5min@min") | streamstats count | where count=1 OR count=100 | fields earliest latest | format] </CODE></PRE> <P>If you use <CODE>format</CODE>, you can pass multiple results of a sub search like this.</P> <P>Note: that if you also pass values for fields other than <EM>earliest</EM> and <EM>latest</EM>, you need to change the <CODE>format</CODE> args slightly.</P> <P>reference: <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format</A></P> Mon, 18 May 2020 04:01:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498154#M138763 to4kawa 2020-05-18T04:01:29Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498155#M138764 <P>Let me try</P> Mon, 18 May 2020 04:21:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498155#M138764 hariram159 2020-05-18T04:21:02Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498156#M138765 <P>as per doc i am returning as |fields src, earliest, latest , now it will work for outer search as below right for each result of subsearch ?</P> <P>| outer query ("src1" AND earliest="earliest1" AND latest="latest1") OR ("src2" AND earliest="earliest2" AND latest="latest2")......</P> <P>is this assumption right ?</P> Mon, 18 May 2020 06:32:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498156#M138765 hariram159 2020-05-18T06:32:11Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498157#M138766 <PRE><CODE>index=_internal sourcetype=splunkd* | eval earliest=_time-10, latest=_time+10 | fields source earliest latest | tail 2 | format </CODE></PRE> <P>check sub search only.</P> Mon, 18 May 2020 07:16:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498157#M138766 to4kawa 2020-05-18T07:16:04Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498158#M138767 <P>yeah i do checked the subsearch only, i am getting the format as i assumed <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> but earlier and latest are returned as epoch times, i hope those also will work fine.</P> Mon, 18 May 2020 07:23:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498158#M138767 hariram159 2020-05-18T07:23:32Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498159#M138768 <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers</A></P> <P>Epoch time is no problem.</P> Mon, 18 May 2020 07:41:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498159#M138768 to4kawa 2020-05-18T07:41:30Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498160#M138769 <P>THanks @to4kawa , This is working for me.. Thanks for your help..</P> Mon, 18 May 2020 09:06:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498160#M138769 hariram159 2020-05-18T09:06:39Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498161#M138770 <P>Please post your final query so others can see it.</P> Mon, 18 May 2020 09:08:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498161#M138770 to4kawa 2020-05-18T09:08:10Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498162#M138771 <P>Here is my final query..</P> <P>index=trace type=success | eval temp=split(ip,",") |eval src=mvindex(temp,0) | search [search index=trace type=blocks | bin span=10m _time |eval temp=split(ip,",") |eval src=mvindex(temp,0)| eval earliest=relative_time(_time,"-5min@min"), latest=relative_time(_time,"+5min@min") | streamstats count by src | where count &gt; 50 | fields src,earliest,latest |format] | table _time src id | sort -_time</P> Wed, 30 Sep 2020 05:29:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498162#M138771 hariram159 2020-09-30T05:29:59Z https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498163#M138772 <P>thanks @hariram159 <BR /> Happy splunking!</P> Mon, 18 May 2020 09:24:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-do-main-search-with-same-time-frame-of-each-result-of/m-p/498163#M138772 to4kawa 2020-05-18T09:24:45Z