topic Re: [Version 8.2.4] No longer able to use timestamps from return command in subsearch in Splunk Search

[Version 8.2.4] No longer able to use timestamps from return command in subsearch

steen — Fri, 21 Jan 2022 16:08:10 GMT

Hi,

In the past (Splunk Enterprise v 7.x.x) I used the below search to run a report every few min. There were so many results that due to limitations I had to run them 1 day spans. I needed to do this for 6 months of data so I automated the process with a repeating report...

I would run this search to create the first entries which is necessary of the next step

index="app" sourcetype="api" type=log*
| eval time=_time
| sort time desc
| table time type version
| outputlookup append=false My_file.csv

Then I created a report , set it to run every 1 or 2 minutes with the below search. It basically looks at the earliest date in My_file.csv file, then adjust the earliest and latest times for the main search.

It just runs the search with the timeframe in my Splunk time picker. It doesn't seem to take the earliest and latest from my 'return' command in the subsearch.

Give me the below results, so I don't get why the value isn't used in the top search

earliest="1642374033.873" latest="1642719633.873"

It works though if I do a map, but that's not a viable solution due to the high volumes...

What's frustrating is that this used to work and now I need to do the same exercise and I can't use it again.

Does anybody have an idea why it's not working? Have you experience similar issues?

Thanks

Re: [Version 8.2.4] No longer able to use timestamps from return command in subsearch

steen — Fri, 21 Jan 2022 16:19:21 GMT

Additional info:
If I take the values from the return command in the subsearch and replace it into a makeresults command, then it works

index="app" sourcetype="api" type=log* [| makeresults | eval earliest="1642304033.873" | eval latest="1642719633.873" | return earliest latest]

I don't get why it works here but not with the inputlook up, it's pretty much the same thing. no?

Re: [Version 8.2.4] No longer able to use timestamps from return command in subsearch

diogofgm — Fri, 21 Jan 2022 16:44:03 GMT

Hi steen,

I don't think that's a version problem. I made small test in 8.2.4 with this:

I can get the results from the expected hour.

Check the job inspector for clues. Look for the remoteSearch to see what Splunk is sending to the indexers.

Re: [Version 8.2.4] No longer able to use timestamps from return command in subsearch

diogofgm — Fri, 21 Jan 2022 16:46:34 GMT

I would edit the main post with those details instead of posting a reply

Re: [Version 8.2.4] No longer able to use timestamps from return command in subsearch

steen — Fri, 21 Jan 2022 19:55:08 GMT

Hi @diogofgm,

I noticed you didn't use the parentheses here:

| eval latest = mi-0.001 | eval earliest = latest-3600

So I tried removing them from my search and it works!

I don't understand how the parentheses causes it to fail. Furthermore, the return works fine with parentheses when I use it as a search on it's own (not as subsearch). And it used to work fine on our older version of Splunk.

Oh well...thanks for your input, much appreciated 😉

PS: How do I edit my post, I looked everywhere, but don't seem to have the option.

Re: [Version 8.2.4] No longer able to use timestamps from return command in subsearch

diogofgm — Sat, 22 Jan 2022 00:14:14 GMT

Glad I pointed you in right direction.

As for the edit, there a down arrow on the right side just above the post title where you have multiple options regarding the post and edit is just one of them.