Splunk Search

How do you use a field defined in the search as a search parameter?

ZikFat
Engager

Hello Splunk people,

I'm trying to do something that seems simple but I'm having a lot of trouble figuring it out.

I'm starting with a search that looks like this

sourcetype=<sourcetype> | eval timestring="2011-11-17 18:01:02" | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(timestring) as timeint

This works ok and does what you'd expect - just a simple search on the sourcetype with a couple of extra fields being defined.

But what I'd really like to do is use the timeint field as an input into an additional search criterion so I can change my search to this:

sourcetype=<sourcetype> latest=timeint | eval timestring="2011-11-17 18:01:02" | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(timestring) as timeint

However this query throws an error saying "timeint" is an invalid value for the "latest" term. My assumption is that this is because timeint isn't being defined until later in the query, but I haven't been able to figure out how to work around this. Trying to use the search command to move my search criteria to the end hasn't given me the results I want.

Any ideas how to make this happen?

Tags (1)
0 Karma

ZikFat
Engager

Thanks for the responses. The approach with the where command technically works, but it's not really practical in my situation because the initial search gets run over all time and the results are just filtered down to within the right time range later. It'll give the right results in the end but since the time constraint isn't there on the initial search it takes a very long time to run.

On the other hand, the subsearch approach is working great. But I have to say, that is a very strange and non-obvious trick to pull this off. It really seems like there should be a way in the search syntax to run some commands before specifying your main search criteria. If you could do that, making this work would be trivial.

Thanks again!

0 Karma

ZikFat
Engager

Yeah, my real use case is a bit more complex. It involves taking a human-readable date as input and then constructing a search based on some range of time around that date. I'm converting the user date into an epoch date, adding and subtracting from that date, and then using the resulting fields as inputs to earliest and latest.

But this question isn't really specific to date searching. When I say that this is a non-obvious trick to pull this off the "this" I'm referring to is just the ability to define a field in a search and then search based on the value of that newly-defined field.

0 Karma

sideview
SplunkTrust
SplunkTrust

I assume that this is some boiled-down version of your real use case? Obviously this is a very artificial and bizarre way to narrow search results by time. But if you really are just trying to filter results by a specific time period you shouldn't do any of this -- just use the TimeRangePicker pulldown, and note it has a 'custom' option where among other things, you can enter calendar dates.

0 Karma

sideview
SplunkTrust
SplunkTrust

This uses subsearch syntax, to first run the internal search, and then yield it's field values and rows out into the outer search as "earliest=1232132141". It's a strange trick to use stats count like this, but in very simple cases it can be a useful one. stats count at the beginning like this will of course yield only a single row, with a single field count, whose value is 0. But that single row is in itself a useful base upon which we can build your time argument.

sourcetype=<sourcetype> [stats count | eval timestring="2011-11-17 18:01:02" | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(timestring) as timeint | rename timeint as earliest | fields earliest]

lguinn2
Legend

Your assumption is correct. Try this:

sourcetype=<sourrcetype> | eval timestring="2011-11-17 18:01:02" | convert timeformat="%Y-%m-%d %H:%M:%S" mktime(timestring) as timeint | where _time < timeint

_time is the internal field that represents the time for each event. While Splunk displays it in human-readable format, it is actually an epoch-time value.

So all you need to add is the where command. A second search command will not work here.

0 Karma
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! &#x1f389; ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...