Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

returning _time from subsearch to main search

rmurthy
Engager
‎11-09-2012 10:39 AM

Hi,
I want to run a subsearch, pass the host and _time to the main search. The main search will look for some other events for the host from earliest=_time (returned from subsearch) and latest=_time + x hrs.
Can you tell me how can I achieve this?

Thanks.

Tags (1)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎11-09-2012 02:19 PM

You can directly return earliest and latest from the subsearch, which should do what you want. 

sourcetype=foo bar baz [ search sourcetype=blah 
|eval earliest=field1 
| eval latest=field1+3600 
| fields earliest, latest ]
Reply

sowings
Splunk Employee
Splunk Employee
‎11-09-2012 11:06 AM

Have your subsearch return terms of earliest and latest. So this might look like

[ search <subsearch> | rename \_time AS earliest | eval latest=earliest + (3600 * x) | fields earliest, latest ]
<main_search>

Where x is your number of hours. The _time field is an epoch time, hence doing math in seconds.

Reply
Get Updates on the Splunk Community!

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...