- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- Sub search return value that's not in main search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sub search return value that's not in main search
I have a Splunk sub search similar to
index=index1 type="example" [ search index=index2 type="other" | eval nowtime=_time | eval maxtime=_time+30 | fields user] | table user, nowtime, maxtime
Now in index2 there are extra fields as nowtime, maxtime and I need to compare this nowtime & maxtime to index1's event time like index1's _time > nowtime and index1's time < maxtime.
For this I have to return values nowtime & maxtime out of the inner search which I am unable to do.
The inner search is based on a common field called user which is both in index1 and index2. How can I check if the user logged in index2 and then should have a login within 30 seconds in index1..?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pls use append, if you want to pass the results of the subsearch to the main search.
index=index1 type="example" | append [ search index=index2 type="other" | eval nowtime=_time | eval maxtime=_time+30 | fields user] | table user, nowtime, maxtime
let me know if it works..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @karthikmalla ,
Your sub-search is not returning the fields because you have restricted the inner search fields to fields user
Can you please try below and see if it works for you ? You might change the aggregation function based on your events order
(index=index1 OR index=index2) | stats latest(eval(if(index=="index1",_time,NULL))) as index1_time,latest(eval(if(index=="index2",_time,NULL))) as index2_time by user
|eval diff= index2_time- index1_time|where diff <30
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually this is deduping the user which shouldn't happen and also not all users time difference is working. If I run over a full day index1 has around 100,000 results and index2 has 100 results and technically every event in index2 should be in index1 as well (but with time difference) however only 1 or 2 events are displaying. Not sure why the other are ignored.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
alright, can you please try this and let's know
index=index1 type="example" |join user type=outer [ search index=index2 type="other" | eval nowtime=_time | eval maxtime=_time+30 | fields nowtime,maxtime] | table _time,user, nowtime, maxtime
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried this before and as I said in my earlier comment index1 has 100,000 results and index2 has 100 results and I need user login in index2 should check with user login in index1 within 30 seconds the way join does is if there is any login in index1 it will still join it. My main blocker is checking 2 events from different index within 30 seconds.
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
