topic Re: using transaction in subsearch to define earliest latest in mainsearch in Splunk Search

using transaction in subsearch to define earliest latest in mainsearch

TheEggi98 — Thu, 02 Sep 2021 09:28:30 GMT

I want to use the subsearch to get start and endtime of the newest transaction (here a botsession).

The subsearch alone gives me:
starttime= 09/01/2021:17:28:49
endtime= 09/01/2021:19:42:50

At first i used the subsearch without strftime()
but Splunk said earliest/latest cant parse epochtime and that it wants format %m/%d/%Y:%H:%M:%S

that brings me to my current search where splunk says "Invalid value "starttime" for time term 'earliest'"
When i use the results of the subsearch when running alone it works.

How can i make use of the start-/endtime?
Or is there a better method to limit my mainsearch for the newest botsession?

My Search (not the final search, but i want to work with the events from a specific session):

index="fishingbot"
[search index=fishingbot
| transaction startswith="Anmeldung erfolgreich!" endswith="deaktiviert!"
| eval endtime=strftime((_time+duration), "%m/%d/%Y:%H:%M:%S")
| eval starttime=strftime(_time, "%m/%d/%Y:%H:%M:%S")
| top starttime endtime limit=1
| table starttime endtime]
earliest=starttime latest=endtime

Re: using transaction in subsearch to define earliest latest in mainsearch

PickleRick — Thu, 02 Sep 2021 09:53:16 GMT

Just return properly named fields from your subsearch. So don't do

[[...] | table start end ] earliest=start latest=end

Because it won't work.

[[...] | table start end | rename start as earliest | rename end as latest ]

Re: using transaction in subsearch to define earliest latest in mainsearch

TheEggi98 — Thu, 02 Sep 2021 10:01:40 GMT

Thanks! That works.

So with naming the times in the subsearch to earliest/latest splunk will automatically use them as timerange.

Good to know 🙂

Re: using transaction in subsearch to define earliest latest in mainsearch

PickleRick — Thu, 02 Sep 2021 10:15:01 GMT

Yes, the results of the subsearch are directly inserted as parameters for search. I can't find it specified anywhere explicitly but it looks that if the resulting set contains multiple fields, they are added with an implicit AND (like in your case - earliest=something AND latest=something) but if you have multiple rows of the same column, they are added with an implicit OR

index=windows [ index=windows | stats top 2 source | table source ]

Should search for events that have their source field set to one of two most often appearing values.