topic Re: Using a result from one search in another search in Splunk Search

Using a result from one search in another search

htkhtk — Fri, 10 Sep 2010 03:56:08 GMT

I am trying to:

Find a date/time of a certain event.
Take that date/time from number 1. and use it to search for events only from that date/time forward.

If the date/time from number 1 was September 1st at 1:45.. Then for number 2, I would only want to get back events from September 1st and forward (forgetting about events before that.)

I need this to be automatic in the searches because the date/time range from number 1 will change based upon different circumstances.

I tried subsearches to no avail.

I am using _time.

Thanks in advance!

Re: Using a result from one search in another search

jrodman — Fri, 10 Sep 2010 04:15:51 GMT

This is pattern is possible using a subsearch, with kind of hack of a special field called 'search', mentioned over here:

http://answers.splunk.com/questions/3471/using-a-subsearch-to-get-the-time-of-an-event

Re: Using a result from one search in another search

htkhtk — Fri, 10 Sep 2010 04:29:56 GMT

I have gotten that far but when I try to do the where _time > [that sub search here].. It doesn't work or sometimes i get an error that says the values aren't compatible

Re: Using a result from one search in another search

jrodman — Fri, 10 Sep 2010 04:55:49 GMT

In the example given, there would be no where clause. It simply becomes a constraint on the base search, which is vastly more performant. The base search command can and does perform numerical equality testing as well as numerical comparisons.

Re: Using a result from one search in another search

gkanapathy — Fri, 10 Sep 2010 05:22:22 GMT

you can't use a subsearch with the where command. Please see my other answer.

Re: Using a result from one search in another search

gkanapathy — Fri, 10 Sep 2010 05:22:26 GMT

This should pretty much be it:

sourcetype=outer [ sourcetype=inner item=xxxx | head 1 | rename _time as earliest | fields earliest ]

I use head 1 to ensure just a single result, but if you only get one result some other way, that's fine too.

Re: Using a result from one search in another search

jrodman — Fri, 10 Sep 2010 05:33:56 GMT

Yeah if you just want to bound, rather than get exact second, this is better.

Re: Using a result from one search in another search

htkhtk — Fri, 10 Sep 2010 20:04:58 GMT

This is exactly what i wanted.. thanks!

Re: Using a result from one search in another search

dennywebb — Sun, 21 Apr 2013 07:57:20 GMT

Is there a way to do this same thing... but for multiple results? like if i wanted to show a table full of IP stats/etc limited to the top 10 IP values of only 1 of those stats? or in this example, the earliest 10?