topic How to pass event time from an inner subsearch to the outer search results table? in Splunk Search

How to pass event time from an inner subsearch to the outer search results table?

Glasses — Tue, 27 Apr 2021 21:53:35 GMT

Hi,

Here are my searches

index=foo <search criteria> | table user _time
index=bar <search criteria> | table user _time

The user field values are passed from inner to outer search

index=foo [search index=bar <search criteria> | eval time1=_time | table user time1] <search criteria> |eval time2=_time| table user time1 time2

I want to create a table >>>> user time1 time2

Then I will be doing a delta on the time diff.

I am stuck trying to get the time carried over from the inner search to the outer search, not sure if this way is even possible... its been a while but I am pretty sure I have done this before...

Seems like whenever I pass the new field time1, the outer search tries to search with that as criteria, which produces no results...

Thx!

Re: How to pass event time from an inner subsearch to the outer search results table?

richgalloway — Tue, 27 Apr 2021 23:39:24 GMT

Run the subsearch by itself with the format command appended to see what it is passing to the main search.

index=bar <search criteria> | eval time1=_time | table user time1 | format

You should get results that look a bit like this:

((user=foo time1=bar) OR (user=foo2 time1=bar2) OR (user=foo3 time1=bar3))

When that is added to the main search it looks like this:

index=foo ((user=foo time1=bar) OR (user=foo2 time1=bar2) OR (user=foo3 time1=bar3)) <search criteria> | eval time2=_time | table user time1 time2

It should work well if the index in the main search has a field called "time"1", but otherwise you'll end up with nothing.

Use a subsearch when you need the results of a search to become part of the enclosing search. If you just need to combine the results of two searches then there are easier ways.

Re: How to pass event time from an inner subsearch to the outer search results table?

Glasses — Tue, 27 Apr 2021 23:12:11 GMT

Thanks Rich your suggestion helps get me closer, only issue is the table does not list exactly the way I want, but I think I can solve that, if not I will ask another question.

Re: How to pass event time from an inner subsearch to the outer search results table?

richgalloway — Tue, 27 Apr 2021 23:39:50 GMT

I think I know why the table doesn't look right. Try my revised answer.

Re: How to pass event time from an inner subsearch to the outer search results table?

Glasses — Wed, 28 Apr 2021 14:48:29 GMT

Hi Rich,

The table format I want is

user time2 time1 match diff alice 1619615378 1619615378 yes 0 bob 1619534249 1619534249 yes 0 charlie 1619541847 1619541846 no 1

I know that is more than this thread covers but here is where I am stuck

currently trying to get the "match" to work and find the "difference" between (time2-time1) but with chart "values" I have multiple lines per user, still trying to wrangle this....

for example, this is a result

alice 1619534249 1619534249 1619614029 1619614029 1619614364 1619614363

Re: How to pass event time from an inner subsearch to the outer search results table?

richgalloway — Thu, 29 Apr 2021 13:52:47 GMT

Perhaps this will help get the remaining fields.

Re: How to pass event time from an inner subsearch to the outer search results table?

Glasses — Thu, 29 Apr 2021 14:22:12 GMT

Thank you Rich. I apologize the query requestors changed directions on what they need but yes, you replies have helped, especially explaining the " | append [subsearch] "...