Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ı want time values comes from subsearch to main search for every record

burakatabay
Path Finder
‎08-25-2021 06:41 AM

ı want time values comes from subsearch to main search for every record, for example my vpn session table have a start and end time. I want to use this start and end time for traffic logs.

burakatabay_6-1629898671997.png

I want to use for time filter this vpn_start and vpn_end fileds

But no result has returned.

burakatabay_5-1629898596229.png

 

I want to find traffic logs with in spesified time range on records.

 

Thank you for helps.

 

Happy splunking.

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎08-26-2021 02:17 AM

Hi @burakatabay,

You can try renaming vpn_start, vpn_end and tunnelip fields like below;

index=fortinet sourcetype=fgt_traffic 
    [ search index=fortinet devname=<vpn_device>" user!="N/A" (eventtype="ftnt_fgt_vpn_start" OR eventtype="ftnt_fgt_vpn_end") tunnelid!=0 faruk* 
    | bin _time span=2d 
    | stats earliest_time(_time) as earliest, latest_time(_time) as latest by _time user tunnelid tunnelip 
    | rename tunnelip as srcip 
    | fields srcip earliest latest]
If this reply helps you an upvote is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎08-26-2021 02:17 AM

Hi @burakatabay,

You can try renaming vpn_start, vpn_end and tunnelip fields like below;

index=fortinet sourcetype=fgt_traffic 
    [ search index=fortinet devname=<vpn_device>" user!="N/A" (eventtype="ftnt_fgt_vpn_start" OR eventtype="ftnt_fgt_vpn_end") tunnelid!=0 faruk* 
    | bin _time span=2d 
    | stats earliest_time(_time) as earliest, latest_time(_time) as latest by _time user tunnelid tunnelip 
    | rename tunnelip as srcip 
    | fields srcip earliest latest]
If this reply helps you an upvote is appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-25-2021 10:49 AM

Run the subsearch by itself with | format appended.  The result is what is returned by the subsearch and appended to the main search.  Does that query make sense for what you wish to achieve?  Probably not. The index likely does not contain vpn_start and vpn_end fields so the search will fail.

If the subsearch returned earliest and latest keywords it would be better, but the format command only supports the '=' operator, not '<' or '>'.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...