Splunk Search

How to add the trigger time to loadjob?

lwass
Explorer

Hello,

I am trying to pull out the last 24 hours worth of results for an alert using loadjob, with the following search:

index=_audit splunk_server="splunk-csh" action=alert_fired ss_name="myalert" 
| map search="| loadjob $sid$"

That works fine.

I would like to add the column trigger_time to my results. I tried this:

index=_audit splunk_server="splunk-csh" action=alert_fired ss_name="myalert" 
| eval trigger_time = strftime(trigger_time,"%m/%d/%y %H:%M:%S") 
| table trigger_time 
| appendcols 
    [| search index=_audit splunk_server="splunk-csh" action=alert_fired ss_name="myalert" 
    | map search="| loadjob $sid$"]

This kind of works, but if there are multiple results from the loadjob command, it breaks (i.e. it shows the trigger_time but no results from loadjob.

Any ideas?

Thanks,
L

0 Karma

woodcock
Esteemed Legend

Just add this to the end of the search that you are pulling in:

| addinfo | rename info_* AS _info_*

And then you can do this:

| loadjob $sid$ | rename _info_search_time AS trigger_time

to4kawa
Ultra Champion
 index=_audit splunk_server="splunk-csh" action=alert_fired ss_name="myalert" 
 | eval trigger_time = strftime(trigger_time,"%m/%d/%y %H:%M:%S") 
 | table trigger_time sid
 | appendpipe 
    [| map search="| loadjob $sid$"]

I haven't tried it, How about this?

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@lwass

If your first search working then I think below search can helps you. Can you please try this ?

index=_audit splunk_server="splunk-csh" action=alert_fired ss_name="myalert" 
| eval trigger_time = strftime(trigger_time,"%m/%d/%y %H:%M:%S") 
| map search="| loadjob $sid$ | eval trigger_time=\"$trigger_time$\"  " 
| table trigger_time *

OR

index=_audit splunk_server="splunk-csh" action=alert_fired ss_name="myalert" 
| eval trigger_time = strftime(trigger_time,"%m/%d/%y %H:%M:%S") 
| map search="| loadjob $sid$ | eval trigger_time=\"$trigger_time$\"  | table trigger_time * " 
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...