Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to apply the time modifiers in the subsearch to limit the time range of results returned in the parent search?

tenorway
Path Finder
‎06-11-2015 11:30 PM

Hi!

I have log statements containing error messages. This is lacking context information (ie user id). Using the event time from the result of a search for the error should be used to limit search for log statements containing the context information

I am trying to perform a subsearch, and returning the time interval from this search to be used in the parent search.
I have tried many different approaches suggested in these forums, but I can't get any one to work as expected.
My time preset in the date picker is last 24 hours, so the sub search is supposed to search in that range.

*This search doesn't limit the time in the parent search. Results for all 24 hours: *

index=myindex value-to-search-for [search index=myindex "NullPointerException myapplication" | head 1 | eval earliest = _time - 60 | eval latest = _time + 60 | return earliest latest]

*This search doesn't return any values: *

index=myindex value-to-search-for [search index=myindex "NullPointerException myapplication" | head 1 | eval earliest = _time - 60 | eval latest = _time + 60 | fields earliest latest]

*Still no values *

index=myindex value-to-search-for earliest=myearliest latest=mylatest [search index=myindex "NullPointerException myapplication" | head 1 | eval myearliest = _time - 60 | eval mylatest = _time + 60 | fields myearliest myearliest]

Giving new names. No result

index=myindex value-to-search-for earliest=myearliest latest=mylatest [search index=myindex "NullPointerException myapplication" | head 1 | eval myearliest = _time - 60 | eval mylatest = _time + 60 | fields myearliest myearliest]

Using return for new value. Gives invalid time

index=myindex value-to-search-for earliest=myearliest latest=mylatest [search index=myindex "NullPointerException myapplication" | head 1 | eval myearliest = _time - 60 | eval mylatest = _time + 60 | return myearliest myearliest]

Any ideas what I'm doing wrong?
Thanks for any assistance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tenorway
Path Finder
‎06-14-2015 11:45 PM

Didn't work either. What I actually made work was this: 

index=myindex NullPointerException "history-service" | eval starttime=strftime(_time-1,"%m/%d/%Y:%H:%M:%S") | eval endtime=strftime(_time + 1,"%m/%d/%Y:%H:%M:%S") | map search="search index=myindex history-service earliest=$starttime$ latest=$endtime$" | where isnotnull(UID) | dedup UID | table UID

Doesn't earliest and latest handle epoch time?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tenorway
Path Finder
‎06-14-2015 11:45 PM

Didn't work either. What I actually made work was this: 

index=myindex NullPointerException "history-service" | eval starttime=strftime(_time-1,"%m/%d/%Y:%H:%M:%S") | eval endtime=strftime(_time + 1,"%m/%d/%Y:%H:%M:%S") | map search="search index=myindex history-service earliest=$starttime$ latest=$endtime$" | where isnotnull(UID) | dedup UID | table UID

Doesn't earliest and latest handle epoch time?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-26-2015 04:18 PM

you need to use 60, not 1 because epochs are in seconds, not minutes.

0 Karma
Reply
Solved! Jump to solution

tenorway
Path Finder
‎06-28-2015 11:02 PM

Actually, I wanted to narrow to 1 second, but startet with 60 to be sure not to miss any while adjusting the search.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-12-2015 12:25 AM

Try this:

index=myindex "NullPointerException myapplication" | head 1 | map search="search earliest=$_time$-60 latest=$_time$+60 index=myindex value-to-search-for"
0 Karma
Reply
Solved! Jump to solution

tenorway
Path Finder
‎06-12-2015 03:07 AM

Still no results returned. By the way, I tried both the first search and the second search separately (Setting the time manually), and they both worked

My search string:
index=klpi NullPointerException history-service | head 1 | map search="search index=klpi history-service earliest=$_time$-60 latest=$_time$+60"

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-12-2015 05:04 PM

It looks like it does not like using $_time$; does this work for you?

index=myindex "NullPointerException myapplication" | head 1 | rename _time AS time | map search="search index=myindex value-to-search-for earliest=$time$-60 latest=$time$+60"

Be aware that the parser may be very sensitive to exact match of this so keep whitespace exactly the same as I have shown.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...