topic How to display the time of one search in the final result when we have another subsearch inside of it? in Splunk Search

How to display the time of one search in the final result when we have another subsearch inside of it?

Vignesh5r — Fri, 05 Aug 2016 19:08:22 GMT

Below is my search.

What I need is to have the time related to that error also saved(Timen) and then shown in the final result which has result of another subsearch.

When I run it, I am getting the value of only FIELDNAME1 and not Timen.

index!=_internal "error" " |eval Timen=strftime(_time,"%m/%d/%y %T")|   accum Timen|                  rex "(?i)text>(?P[^<]+)" | dedup FIELDNAME | map search="search index!=_internal $FIELDNAME$" | search "error1 " |rex "(?i)text1=(?P[^]]+)" | rex "(?i)text2=(?P[^]]+)" |  eval Time=strftime(_time,"%m/%d/%y %T")| table FIELDNAME1  Time Timen

Re: How to display the time of one search in the final result when we have another subsearch inside of it?

somesoni2 — Fri, 05 Aug 2016 19:55:19 GMT

The field names are stripped off in the question, making is difficult to understand. Apart from correcting that, could you also, describe your requirement here in little more details?

Re: How to display the time of one search in the final result when we have another subsearch inside of it?

Vignesh5r — Fri, 05 Aug 2016 20:02:12 GMT

 index!=_internal "error" " |eval Timen=strftime(_time,"%m/%d/%y %T")| rex "(?i)text>(?P[^<]+)" | dedup FIELDNAME | map search="search index!=_internal $FIELDNAME$" | search "error1 " |rex "(?i)text1=(?P[^]]+)" |   eval Time=strftime(_time,"%m/%d/%y %T")| table FIELDNAME1  Time Timen

I want to display the field Timen in my results. Currently it displays only FIELDNAME1 and Time and not Timen

Re: How to display the time of one search in the final result when we have another subsearch inside of it?

somesoni2 — Fri, 05 Aug 2016 20:08:41 GMT

Give this a try

index!=_internal "error" |eval Timen=strftime(_time,"%m/%d/%y %T")| rex "(?i)text\>(?P<FIELDNAME>[^\<]+)" | dedup FIELDNAME | table Timen FIELDNAME | map search="search index!=_internal $FIELDNAME$ | eval Timen=\"$Timen$\"" | search "error1 " |rex "(?i)text1=(?P<FIELDNAME1>[^\]]+)" | eval Time=strftime(_time,"%m/%d/%y %T")| table FIELDNAME1 Time Timen

Re: How to display the time of one search in the final result when we have another subsearch inside of it?

Vignesh5r — Fri, 05 Aug 2016 20:37:00 GMT

It doesnt work. It displays $Timen and not the value

Re: How to display the time of one search in the final result when we have another subsearch inside of it?

somesoni2 — Fri, 05 Aug 2016 20:43:24 GMT

Oops, missed a $ sign there. Try now.

Re: How to display the time of one search in the final result when we have another subsearch inside of it?

Vignesh5r — Fri, 05 Aug 2016 20:49:13 GMT

Perfect. It works. Thanks a lot for your kind help on this!!!

Re: How to display the time of one search in the final result when we have another subsearch inside of it?

Vignesh5r — Fri, 05 Aug 2016 20:52:45 GMT

One more question. What if i have to display the FIELDNAME along with Timen?

Re: How to display the time of one search in the final result when we have another subsearch inside of it?

Vignesh5r — Fri, 05 Aug 2016 21:13:50 GMT

Okay i found that this doesnt actually provide the result i am expecting. Let me correct my quetion. I need to know the time of the exact FIELDNAME which matches with the error1 field. (There can be multiple results for that fieldname initially and the timen is showing the latest one for that)