Subsearch using time from lookup in main search

adamblock2 — Tue, 10 May 2022 23:37:12 GMT

I am performing a lookup in a main search which returns earliest_event and latest_event timestamp values. I would like to use these timestamp values as parameters for a subsearch. The search would be similar to the following:

index=foo ........... | lookup lookuptable.csv session_id OUTPUTNEW session_id, earliest_event, latest_event ........... | append [ search index=bar earliest=earliest_event latest=latest_event ...........]

The time parameters for the subsearch are not being accepted, though.

Is there a different way that this can be accomplished?

Re: Subsearch using time from lookup in main search

ITWhisperer — Wed, 11 May 2022 04:48:50 GMT

Subsearches generally execute before the main search, which essentially means you cannot pass information from the main search to the subsearch as you are trying to do.

However, you might be able to do something with the map command rather than the append command, but this has performance implications, so proceed with caution. 😀

topic Re: Subsearch using time from lookup in main search in Splunk Search

Subsearch using time from lookup in main search

Re: Subsearch using time from lookup in main search