https://community.splunk.com/t5/Splunk-Search/How-to-find-all-the-events-since-the-last-instance-of-a-specific/m-p/156001#M43889 <P>I feel like this should be an easy question to find the answer to, but I've spent a good hour or so looking and haven't found it. So, at the risk of looking stupid, here goes:</P> <P>I'd like to craft a search string to use in a dashboard that returns all the instances of a defined set of events (say, A, B and C) that have occurred since the last occurrence of a different event (say X). I can write the two queries independently no problem:</P> <PRE><CODE>event_id="X" | head 1 | table _time </CODE></PRE> <P>gives me the time of the last instance of X, and then I can just change the time range selector to set that to start at that point and run </P> <PRE><CODE>event_id="A" OR event_id="B" or event_id="C" </CODE></PRE> <P>to find the events I'm interested in. But it really seems like this should be possible to do in a single query, passing the result of the first as a parameter into the <CODE>where</CODE> clause of the second.</P> Wed, 08 Oct 2014 17:54:46 GMT davemulligan 2014-10-08T17:54:46Z https://community.splunk.com/t5/Splunk-Search/How-to-find-all-the-events-since-the-last-instance-of-a-specific/m-p/156001#M43889 <P>I feel like this should be an easy question to find the answer to, but I've spent a good hour or so looking and haven't found it. So, at the risk of looking stupid, here goes:</P> <P>I'd like to craft a search string to use in a dashboard that returns all the instances of a defined set of events (say, A, B and C) that have occurred since the last occurrence of a different event (say X). I can write the two queries independently no problem:</P> <PRE><CODE>event_id="X" | head 1 | table _time </CODE></PRE> <P>gives me the time of the last instance of X, and then I can just change the time range selector to set that to start at that point and run </P> <PRE><CODE>event_id="A" OR event_id="B" or event_id="C" </CODE></PRE> <P>to find the events I'm interested in. But it really seems like this should be possible to do in a single query, passing the result of the first as a parameter into the <CODE>where</CODE> clause of the second.</P> Wed, 08 Oct 2014 17:54:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-all-the-events-since-the-last-instance-of-a-specific/m-p/156001#M43889 davemulligan 2014-10-08T17:54:46Z https://community.splunk.com/t5/Splunk-Search/How-to-find-all-the-events-since-the-last-instance-of-a-specific/m-p/156002#M43890 <P>A subsearch should work nicely here. You can use this to pass KV pairs to the outer search, in your case _time as earliest.</P> <PRE><CODE>event_id="A" OR event_id="B" or event_id="C" latest=now [ search event_id="X" | head 1 | table _time | rename _time AS earliest ] </CODE></PRE> <P>So this passes the value of _time for the event found in the first search (named earliest) and then passes it to the outer search which should do what you want.</P> Wed, 08 Oct 2014 21:12:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-all-the-events-since-the-last-instance-of-a-specific/m-p/156002#M43890 emechler_splunk 2014-10-08T21:12:27Z https://community.splunk.com/t5/Splunk-Search/How-to-find-all-the-events-since-the-last-instance-of-a-specific/m-p/156003#M43891 <P>Thank you. I didn't fully understand that the sub search return key - value pairs.</P> Wed, 08 Oct 2014 21:19:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-all-the-events-since-the-last-instance-of-a-specific/m-p/156003#M43891 davemulligan 2014-10-08T21:19:38Z