Splunk Search

How to apply the time modifiers in the subsearch to limit the time range of results returned in the parent search?

tenorway
Path Finder

Hi!

I have log statements containing error messages. This is lacking context information (ie user id). Using the event time from the result of a search for the error should be used to limit search for log statements containing the context information

I am trying to perform a subsearch, and returning the time interval from this search to be used in the parent search.
I have tried many different approaches suggested in these forums, but I can't get any one to work as expected.
My time preset in the date picker is last 24 hours, so the sub search is supposed to search in that range.

*This search doesn't limit the time in the parent search. Results for all 24 hours: *

index=myindex value-to-search-for [search index=myindex "NullPointerException myapplication" | head 1 | eval earliest = _time - 60 | eval latest = _time + 60 | return earliest latest]

*This search doesn't return any values: *

index=myindex value-to-search-for [search index=myindex "NullPointerException myapplication" | head 1 | eval earliest = _time - 60 | eval latest = _time + 60 | fields earliest latest]

*Still no values *

index=myindex value-to-search-for earliest=myearliest latest=mylatest [search index=myindex "NullPointerException myapplication" | head 1 | eval myearliest = _time - 60 | eval mylatest = _time + 60 | fields myearliest myearliest]

Giving new names. No result

index=myindex value-to-search-for earliest=myearliest latest=mylatest [search index=myindex "NullPointerException myapplication" | head 1 | eval myearliest = _time - 60 | eval mylatest = _time + 60 | fields myearliest myearliest]

Using return for new value. Gives invalid time

index=myindex value-to-search-for earliest=myearliest latest=mylatest [search index=myindex "NullPointerException myapplication" | head 1 | eval myearliest = _time - 60 | eval mylatest = _time + 60 | return myearliest myearliest]

Any ideas what I'm doing wrong?
Thanks for any assistance!

0 Karma
1 Solution

tenorway
Path Finder

Didn't work either. What I actually made work was this:

index=myindex NullPointerException "history-service" | eval starttime=strftime(_time-1,"%m/%d/%Y:%H:%M:%S") | eval endtime=strftime(_time + 1,"%m/%d/%Y:%H:%M:%S") | map search="search index=myindex history-service earliest=$starttime$ latest=$endtime$" | where isnotnull(UID) | dedup UID | table UID

Doesn't earliest and latest handle epoch time?

View solution in original post

0 Karma

tenorway
Path Finder

Didn't work either. What I actually made work was this:

index=myindex NullPointerException "history-service" | eval starttime=strftime(_time-1,"%m/%d/%Y:%H:%M:%S") | eval endtime=strftime(_time + 1,"%m/%d/%Y:%H:%M:%S") | map search="search index=myindex history-service earliest=$starttime$ latest=$endtime$" | where isnotnull(UID) | dedup UID | table UID

Doesn't earliest and latest handle epoch time?

0 Karma

woodcock
Esteemed Legend

you need to use 60, not 1 because epochs are in seconds, not minutes.

0 Karma

tenorway
Path Finder

Actually, I wanted to narrow to 1 second, but startet with 60 to be sure not to miss any while adjusting the search.

0 Karma

woodcock
Esteemed Legend

Try this:

index=myindex "NullPointerException myapplication" | head 1 | map search="search earliest=$_time$-60 latest=$_time$+60 index=myindex value-to-search-for"
0 Karma

tenorway
Path Finder

Still no results returned. By the way, I tried both the first search and the second search separately (Setting the time manually), and they both worked

My search string:
index=klpi NullPointerException history-service | head 1 | map search="search index=klpi history-service earliest=$_time$-60 latest=$_time$+60"

0 Karma

woodcock
Esteemed Legend

It looks like it does not like using $_time$; does this work for you?

index=myindex "NullPointerException myapplication" | head 1 | rename _time AS time | map search="search index=myindex value-to-search-for earliest=$time$-60 latest=$time$+60"

Be aware that the parser may be very sensitive to exact match of this so keep whitespace exactly the same as I have shown.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...