Assistance with Map using Map to perform a search ...

atljoer · ‎01-14-2021

TLDR: Goal is to perform an initial search which returns table of time user authenticated, then for each row in the table performs a subsequent search to find each time they established a connection to server. The Authentication data and Network data are 100% separate.

My initial search is

index=authentication objectId="thingIcareabout"
| eval earliest1=timestamp/1000
| eval earliestPlus10m=earliest1+600
| table username, earliest1, earliestPlus10m

This successfully runs and returns:

username	earliest1	earliestPlus10m
Joe	1610632992	1610630191
Bob	1610629591	1610633592

Reason why I add earliestPlus10m is so I can run a subsequent search against the network index and limit the amount of results to parse.

If I try the map command
index=authentication objectId="thingIcareabout"
| eval earliest1=timestamp/1000
| eval earliestPlus10m=earliest1+600
| table username, earliest1, earliestPlus10m
| map search="index=network connected $username$ earliest=$earliest1$ latest=$earliestPlus10m$ | stats earliest(_time)"

I get my 2 events, but no results in Statistics from map. I run job inspector say the map returns no results. I literally copy the query from inspector and run it in a new search and it does return exactly what I want. For instance
index=network connected Joe earliest=1610632992 latest=1610632992 | stats earliest(_time) does return correctly.

Confused here what I may be doing wrong...

My ultimate goal is

userName	earliest1	subsearch(time)	calculated field (subsearchtime-earliest10
Joe	1610632992	1610633001	9
Bob	1610629591	1610629598	7

to4kawa · ‎01-15-2021

index=network connected [ search index=authentication objectId="thingIcareabout" 
| eval earliest=timestamp/1000 
| eval latest=earliest1+600 
| table username, earliest, latest
| format "(" "" "" "" ") OR (" ")"]

but your ultimate goal and '| stats earliest(_time) ' are different.

also, Joe is not in username field in index network ?

ref : My japanese Blog(English trasnlated)

atljoer · ‎01-19-2021

Hi thank you to4kawa, maybe I should focus on the goal:

Run 1 query that returns

Userid	Auth Time
Joe	1/19 6:30 AM
Bob	1/19 7:30 AM
Hank	1/19 9:45 AM
Joe	1/19 3:30 PM

For each row in that resultset run a subsequent query against a 'network' index which is basically:

Find the first time 'Joe' shows up in the network log starting at 6:30 AM: 6:31:22
Find the first time 'Bob' shows up in the network log starting at 7:30 AM: 7:35:12
Find the first time 'Hank' shows up in the network log starting at 9:45 AM: 9:45:46
Find the first time 'Joe' shows up in the network log start 3:30 PM: 3:31:05

Then for each row subtract the network log timestamp from the Auth timestamp so each row returns:

Timestamp	User (Session)	TimefromAuthtoNetwork
1/19 6:30 AM	Joe	1:22
1/19 7:30 AM	Bob	5:12
1/19 9:45 AM	Hank	0:46
1/19 3:30 PM	Joe	1:05

Does that make sense?

to4kawa · ‎01-19-2021

index=auth OR index=network

| stats min(eval(if(index=auth,_time,NULL))) as _time range(_time) as TimefromAuthtoNetwork by userid

You may have multiple sessions in a day, etc., but this is the basic idea.

Assistance with Map using Map to perform a search from a table of the original search

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation