Splunk Search

How to apply the time modifiers in the subsearch to limit the time range of results returned in the parent search?

tenorway
Path Finder

Hi!

I have log statements containing error messages. This is lacking context information (ie user id). Using the event time from the result of a search for the error should be used to limit search for log statements containing the context information

I am trying to perform a subsearch, and returning the time interval from this search to be used in the parent search.
I have tried many different approaches suggested in these forums, but I can't get any one to work as expected.
My time preset in the date picker is last 24 hours, so the sub search is supposed to search in that range.

*This search doesn't limit the time in the parent search. Results for all 24 hours: *

index=myindex value-to-search-for [search index=myindex "NullPointerException myapplication" | head 1 | eval earliest = _time - 60 | eval latest = _time + 60 | return earliest latest]

*This search doesn't return any values: *

index=myindex value-to-search-for [search index=myindex "NullPointerException myapplication" | head 1 | eval earliest = _time - 60 | eval latest = _time + 60 | fields earliest latest]

*Still no values *

index=myindex value-to-search-for earliest=myearliest latest=mylatest [search index=myindex "NullPointerException myapplication" | head 1 | eval myearliest = _time - 60 | eval mylatest = _time + 60 | fields myearliest myearliest]

Giving new names. No result

index=myindex value-to-search-for earliest=myearliest latest=mylatest [search index=myindex "NullPointerException myapplication" | head 1 | eval myearliest = _time - 60 | eval mylatest = _time + 60 | fields myearliest myearliest]

Using return for new value. Gives invalid time

index=myindex value-to-search-for earliest=myearliest latest=mylatest [search index=myindex "NullPointerException myapplication" | head 1 | eval myearliest = _time - 60 | eval mylatest = _time + 60 | return myearliest myearliest]

Any ideas what I'm doing wrong?
Thanks for any assistance!

0 Karma
1 Solution

tenorway
Path Finder

Didn't work either. What I actually made work was this:

index=myindex NullPointerException "history-service" | eval starttime=strftime(_time-1,"%m/%d/%Y:%H:%M:%S") | eval endtime=strftime(_time + 1,"%m/%d/%Y:%H:%M:%S") | map search="search index=myindex history-service earliest=$starttime$ latest=$endtime$" | where isnotnull(UID) | dedup UID | table UID

Doesn't earliest and latest handle epoch time?

View solution in original post

0 Karma

tenorway
Path Finder

Didn't work either. What I actually made work was this:

index=myindex NullPointerException "history-service" | eval starttime=strftime(_time-1,"%m/%d/%Y:%H:%M:%S") | eval endtime=strftime(_time + 1,"%m/%d/%Y:%H:%M:%S") | map search="search index=myindex history-service earliest=$starttime$ latest=$endtime$" | where isnotnull(UID) | dedup UID | table UID

Doesn't earliest and latest handle epoch time?

0 Karma

woodcock
Esteemed Legend

you need to use 60, not 1 because epochs are in seconds, not minutes.

0 Karma

tenorway
Path Finder

Actually, I wanted to narrow to 1 second, but startet with 60 to be sure not to miss any while adjusting the search.

0 Karma

woodcock
Esteemed Legend

Try this:

index=myindex "NullPointerException myapplication" | head 1 | map search="search earliest=$_time$-60 latest=$_time$+60 index=myindex value-to-search-for"
0 Karma

tenorway
Path Finder

Still no results returned. By the way, I tried both the first search and the second search separately (Setting the time manually), and they both worked

My search string:
index=klpi NullPointerException history-service | head 1 | map search="search index=klpi history-service earliest=$_time$-60 latest=$_time$+60"

0 Karma

woodcock
Esteemed Legend

It looks like it does not like using $_time$; does this work for you?

index=myindex "NullPointerException myapplication" | head 1 | rename _time AS time | map search="search index=myindex value-to-search-for earliest=$time$-60 latest=$time$+60"

Be aware that the parser may be very sensitive to exact match of this so keep whitespace exactly the same as I have shown.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...