Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

returning _time from subsearch to main search

rmurthy
Engager
‎11-09-2012 10:39 AM

Hi,
I want to run a subsearch, pass the host and _time to the main search. The main search will look for some other events for the host from earliest=_time (returned from subsearch) and latest=_time + x hrs.
Can you tell me how can I achieve this?

Thanks.

Tags (1)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎11-09-2012 02:19 PM

You can directly return earliest and latest from the subsearch, which should do what you want. 

sourcetype=foo bar baz [ search sourcetype=blah 
|eval earliest=field1 
| eval latest=field1+3600 
| fields earliest, latest ]
Reply

sowings
Splunk Employee
Splunk Employee
‎11-09-2012 11:06 AM

Have your subsearch return terms of earliest and latest. So this might look like

[ search <subsearch> | rename \_time AS earliest | eval latest=earliest + (3600 * x) | fields earliest, latest ]
<main_search>

Where x is your number of hours. The _time field is an epoch time, hence doing math in seconds.

Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...