topic Re: How to run different timerange in subsearch versus the original search? in Splunk Search

How to run different timerange in subsearch versus the original search?

rafasalo — Thu, 08 Sep 2016 10:55:20 GMT

Hi,

I'm trying to execute this query:

index=index_cbo  [search index=index_cbo 12018955000155 "An error ocurred during \"Conexão com servidores\" initialization step."| dedup CNPJ| table CNPJ]

12018955000155 is my ID.

Basically I would like to get all events of this id (12018955000155) in my index_cbo.

The problem is that I just get result up to the time of the last event with the Message "An error ocurred during \"Conexão com servidores\" initialization step.". To make it clear, I have, for example, 3 events with the correspondent time:

09:00:00 Message: Hello World
08:59:00 Message: An error ocurred during \"Conexão com servidores\" initialization step
07:40:00 Message: An error ocurred during \"Conexão com servidores\" initialization step

Instead of I get all the 3 events as a result of my query, I'm just getting the 2 bellows (the one of 8:59:00 and the another of 07:40:00)
Anyone can help me? I want to get the 3 events...

Thanks in advance!

PS: Just for the matter of testing, the example bellow I've forced my subsearch results in a table of just one id (12018955000155).

Re: How to run different timerange in subsearch versus the original search?

sundareshr — Thu, 08 Sep 2016 11:11:36 GMT

What do you get when you try this search

index=index_cbo CNPJ="12018955000155"

Re: How to run different timerange in subsearch versus the original search?

rafasalo — Thu, 08 Sep 2016 11:12:25 GMT

 09:00:00 Message: Hello World
 08:59:00 Message: An error ocurred during \"Conexão com servidores\" initialization step
 07:40:00 Message: An error ocurred during \"Conexão com servidores\" initialization step

However, when I use the subsearch I just get

 08:59:00 Message: An error ocurred during \"Conexão com servidores\" initialization step
 07:40:00 Message: An error ocurred during \"Conexão com servidores\" initialization step

Re: How to run different timerange in subsearch versus the original search?

sundareshr — Thu, 08 Sep 2016 11:21:07 GMT

Click on Job>>Inspect Job and in the pop up window, search for litsearch. What is in the final query? You should see something like index=index_cbo CNPJ="12018955000155"

Re: How to run different timerange in subsearch versus the original search?

rafasalo — Thu, 08 Sep 2016 11:32:11 GMT

Sorry, I have run my query again. when I search: index=index_cbo CNPJ="12018955000155" I get:

 08:59:00 Message: An error ocurred during \"Conexão com servidores\" initialization step
 07:40:00 Message: An error ocurred during \"Conexão com servidores\" initialization step

BTW the for the Message 09:00:00 Message: Hello World the name of the field is no CNPJ is CNPJ_WS.

Re: How to run different timerange in subsearch versus the original search?

PPape — Tue, 29 Sep 2020 10:54:33 GMT

you could try this: index=index_cbo (CNPJ="12018955000155" OR CNPJ_WS="12018955000155")

but I didn't really understand why you need a subsearch... maybe it would help if you pastebin a small sample of your data and give us a preview of the table you expect to see after your query

Re: How to run different timerange in subsearch versus the original search?

sundareshr — Thu, 08 Sep 2016 12:16:27 GMT

So it appears your original, subsearch is returning correct results? What is your desired final output?

Re: How to run different timerange in subsearch versus the original search?

rafasalo — Thu, 08 Sep 2016 12:55:59 GMT

I've found the problem:

Here is the solution:

index=index_cbo  [search index=index_cbo 12018955000155 "An error ocurred during"| dedup CNPJ|rename CNPJ as CNPJ_WS | table CNPJ_WS]

The field that identifies the message 09:00:00 Message: Hello World is CNPJ_WS and not just CNPJ.
Thank you folks.

cheers

Re: How to run different timerange in subsearch versus the original search?

mchandrasekaran — Tue, 29 Sep 2020 10:55:08 GMT

Hi,

I am trying to pass the time from a subsearch to the main search. I used the rename function the way you have mentioned in the above comment, but it is not working. Any idea on what might be the issue?

This is the subsearch that I am using :

[|search source=wineventlog:security EventCode=4740 | rename _time as lockout_time | fields user,lockout_time]

Thank you

Re: How to run different timerange in subsearch versus the original search?

somesoni2 — Tue, 29 Sep 2020 10:56:14 GMT

You don't need a pipe at the start of this subsearch. Once, you fix that your fields user and lockout_time will be passed to main search. I'm assuming your base search has fields user and lockout_time and you want to use this subsearch as filter for those two field values.

Re: How to run different timerange in subsearch versus the original search?

mchandrasekaran — Tue, 29 Sep 2020 10:55:11 GMT

Yes, I am using user and lockout_time as a filter. I am able to pass it as _time, the problem arises when I use rename _time as lockout_time

Re: How to run different timerange in subsearch versus the original search?

sundareshr — Tue, 29 Sep 2020 10:56:20 GMT

You need to change the format of lookout_time in your sub-search. _time is in epoch format. To change the format you can use the strftime(lookout_time, "%m-%d-%Y") command (use appropriate modifiers)

Re: How to run different timerange in subsearch versus the original search?

mchandrasekaran — Sat, 10 Sep 2016 00:28:45 GMT

Got it. Thank you so much.