Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I dynamically set earliest from subsearch?

richarddicaire
Path Finder
‎09-13-2017 10:37 AM

Hi folks, been all over this site and google, not finding a working solution.

I'm trying to perform a search using a subsearch to populate earliest=

| tstats min(_indextime) as firstTime, max(_indextime) as lastTime where earliest=[ | rest /services/admin/indexes splunk_server=localhost
| search title=syslog | eval dy = (frozenTimePeriodInSecs/86400) | eval earli="-" . dy . "d@d" |fields earli ] index=syslog by index
| eval delta = (lastTime - firstTime) | eval yr = floor(delta/86400/365)| eval dy = (delta/86400) % 365 | eval actual_ret = yr . " years, " . dy . " days"
| eval lastTime=strftime(lastTime,"%Y-%m-%d %H:%M:%S"), firstTime=strftime(firstTime,"%Y-%m-%d %H:%M:%S") | fields index, firstTime, lastTime, delta, actual_ret
| join index [| rest /services/admin/indexes splunk_server=localhost | eval yr = floor(frozenTimePeriodInSecs/86400/365)
| eval dy = (frozenTimePeriodInSecs/86400) % 365 | eval ret = yr . " years, " . dy . " days" | eval index=title
| stats avg(currentDBSizeMB) as currentDBSizeMB, avg(maxTotalDataSizeMB) as maxTotalDataSizeMB, max(frozenTimePeriodInSecs) as frozenTimePeriodInSecs, max(ret) by index
| eval pct_data=(currentDBSizeMB/maxTotalDataSizeMB) * 100] | eval pct_ret = (delta/frozenTimePeriodInSecs)*100

and get error

Invalid value "(" for time term 'earliest'

Also tried subsearch

earliest=[ | rest /services/admin/indexes splunk_server=localhost
| search title=syslog | eval dy = (frozenTimePeriodInSecs/86400) | fields dy ]

with same result. Both subsearches by themselves return correct results:

| rest /services/admin/indexes splunk_server=localhost
| search title=syslog | eval dy = (frozenTimePeriodInSecs/86400) | eval earli="-" . dy . "d@d" |fields earli

returns

-365d@d

and

| rest /services/admin/indexes splunk_server=localhost
| search title=syslog | eval dy = (frozenTimePeriodInSecs/86400) | fields dy

returns

365

How can I get the subsearch value to be used by "earliest="?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-13-2017 10:58 AM

earliest has to be in either relative form, or in epoch form. Try this.,,,

 earliest=[ | rest /services/admin/indexes splunk_server=localhost
| search title=syslog 
| eval search = "-".tostring(floor(frozenTimePeriodInSecs/86400))."d@d" | table search]

NOTE - When you get to the end of a subsearch, the subsearch will return either whatever is in the field search. If there is no such field, the subsearch will implicitly invoke the format command and return whatever fields (field1, field2...) and values are in each record in the format... 

( ( field1="value1fromrecord1" AND field2="value2fromrecord1"... ) OR  ( field1="value1fromrecord2" AND field2="value2fromrecord2"... )  OR ...) )

... which in your case, with one field named dy and a value we'll call 1234, meant it returned...

( ( dy="1234" ) )

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎09-13-2017 10:58 AM

earliest has to be in either relative form, or in epoch form. Try this.,,,

 earliest=[ | rest /services/admin/indexes splunk_server=localhost
| search title=syslog 
| eval search = "-".tostring(floor(frozenTimePeriodInSecs/86400))."d@d" | table search]

NOTE - When you get to the end of a subsearch, the subsearch will return either whatever is in the field search. If there is no such field, the subsearch will implicitly invoke the format command and return whatever fields (field1, field2...) and values are in each record in the format... 

( ( field1="value1fromrecord1" AND field2="value2fromrecord1"... ) OR  ( field1="value1fromrecord2" AND field2="value2fromrecord2"... )  OR ...) )

... which in your case, with one field named dy and a value we'll call 1234, meant it returned...

( ( dy="1234" ) )
Reply
Solved! Jump to solution

richarddicaire
Path Finder
‎09-13-2017 11:22 AM

This worked. It looks like it does the same thing as my first subsearch attempt, how do these differ?

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-13-2017 11:35 AM

@richarddicaire - I already explained that after the horizontal bar. You can play with the format command at the end of any search to see what exactly will be returned. In this specific case, your original code returned something that looked like ( ( dy="1234" ) ) hence, the message that "(" was an invalid value.

0 Karma
Reply
Solved! Jump to solution

richarddicaire
Path Finder
‎09-13-2017 11:48 AM

I understood that, thats the result returned from my second subsearch attempt, I was asking about the difference between between your working result, and my first subsearch attempt.

After checking with format, I'm seeing my first subsearch returned ( ( earli="-365d@d" ) )

Thanks for the explanation, and using format as well.

Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-13-2017 03:10 PM

@richarddicaire - ah, I misunderstood. Yes, format is great to play with. I very often end up using format with unique arguments, then using | rex field=search mode=sed "some rex" to change the results in field search to exactly what I need to return.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...