Splunk Search

Assistance with Map using Map to perform a search from a table of the original search

atljoer
Loves-to-Learn

TLDR:  Goal is to perform an initial search which returns table of time user authenticated, then for each row in the table performs a subsequent search to find each time they established a connection to server.  The Authentication data and Network data are 100% separate.   

My initial search is

index=authentication objectId="thingIcareabout" 
| eval earliest1=timestamp/1000
| eval earliestPlus10m=earliest1+600
| table username, earliest1, earliestPlus10m

This successfully runs and returns:

usernameearliest1earliestPlus10m
Joe16106329921610630191
Bob16106295911610633592

 

Reason why I add earliestPlus10m is so I can run a subsequent search against the network index and limit the amount of results to parse. 

If I try the map command
index=authentication objectId="thingIcareabout" 
| eval earliest1=timestamp/1000
| eval earliestPlus10m=earliest1+600
| table username, earliest1, earliestPlus10m
| map search="index=network connected $username$ earliest=$earliest1$ latest=$earliestPlus10m$ | stats earliest(_time)" 

I get my 2 events, but no results in Statistics from map. I run job inspector  say the map returns no results.  I literally copy the query from inspector and run it in a new search and it does return exactly what I want.  For instance
index=network connected Joe earliest=1610632992 latest=1610632992 | stats earliest(_time) does return correctly. 

Confused here what I may be doing wrong...

 

My ultimate goal is

userNameearliest1subsearch(time)calculated field (subsearchtime-earliest10
Joe161063299216106330019
Bob161062959116106295987
Labels (1)
Tags (1)
0 Karma

to4kawa
Ultra Champion

 

index=network connected [ search index=authentication objectId="thingIcareabout" 
| eval earliest=timestamp/1000 
| eval latest=earliest1+600 
| table username, earliest, latest
| format "(" "" "" "" ") OR (" ")"]

 

but your ultimate goal and '|  stats earliest(_time) ' are different.

also, Joe is not in username field in index network ? 

 

ref : My japanese Blog(English trasnlated)

0 Karma

atljoer
Loves-to-Learn

Hi thank you to4kawa, maybe I should focus on the goal:

Run 1 query that returns 

UseridAuth Time
Joe 1/19 6:30 AM
Bob1/19 7:30 AM
Hank1/19 9:45 AM
Joe1/19 3:30 PM

 

For each row in that resultset run a subsequent query against a 'network' index which is basically:

  • Find the first time 'Joe' shows up in the network log starting at 6:30 AM:  6:31:22
  • Find the first time 'Bob' shows up in the network log starting at 7:30 AM: 7:35:12
  • Find the first time 'Hank' shows up in the network log starting at 9:45 AM: 9:45:46
  • Find the first time 'Joe' shows up in the network log start 3:30 PM: 3:31:05 

Then for each row subtract the network log timestamp from the Auth timestamp so each row returns:

TimestampUser (Session)TimefromAuthtoNetwork
 1/19 6:30 AMJoe1:22
1/19 7:30 AMBob5:12
1/19 9:45 AMHank0:46
1/19 3:30 PMJoe1:05

 

Does that make sense? 

0 Karma

to4kawa
Ultra Champion

index=auth OR index=network

| stats min(eval(if(index=auth,_time,NULL))) as _time range(_time) as TimefromAuthtoNetwork by userid

 

You may have multiple sessions in a day, etc., but this is the basic idea.

 

 

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...