Splunk Search

How to apply the time modifiers in the subsearch to limit the time range of results returned in the parent search?

tenorway
Path Finder

Hi!

I have log statements containing error messages. This is lacking context information (ie user id). Using the event time from the result of a search for the error should be used to limit search for log statements containing the context information

I am trying to perform a subsearch, and returning the time interval from this search to be used in the parent search.
I have tried many different approaches suggested in these forums, but I can't get any one to work as expected.
My time preset in the date picker is last 24 hours, so the sub search is supposed to search in that range.

*This search doesn't limit the time in the parent search. Results for all 24 hours: *

index=myindex value-to-search-for [search index=myindex "NullPointerException myapplication" | head 1 | eval earliest = _time - 60 | eval latest = _time + 60 | return earliest latest]

*This search doesn't return any values: *

index=myindex value-to-search-for [search index=myindex "NullPointerException myapplication" | head 1 | eval earliest = _time - 60 | eval latest = _time + 60 | fields earliest latest]

*Still no values *

index=myindex value-to-search-for earliest=myearliest latest=mylatest [search index=myindex "NullPointerException myapplication" | head 1 | eval myearliest = _time - 60 | eval mylatest = _time + 60 | fields myearliest myearliest]

Giving new names. No result

index=myindex value-to-search-for earliest=myearliest latest=mylatest [search index=myindex "NullPointerException myapplication" | head 1 | eval myearliest = _time - 60 | eval mylatest = _time + 60 | fields myearliest myearliest]

Using return for new value. Gives invalid time

index=myindex value-to-search-for earliest=myearliest latest=mylatest [search index=myindex "NullPointerException myapplication" | head 1 | eval myearliest = _time - 60 | eval mylatest = _time + 60 | return myearliest myearliest]

Any ideas what I'm doing wrong?
Thanks for any assistance!

0 Karma
1 Solution

tenorway
Path Finder

Didn't work either. What I actually made work was this:

index=myindex NullPointerException "history-service" | eval starttime=strftime(_time-1,"%m/%d/%Y:%H:%M:%S") | eval endtime=strftime(_time + 1,"%m/%d/%Y:%H:%M:%S") | map search="search index=myindex history-service earliest=$starttime$ latest=$endtime$" | where isnotnull(UID) | dedup UID | table UID

Doesn't earliest and latest handle epoch time?

View solution in original post

0 Karma

tenorway
Path Finder

Didn't work either. What I actually made work was this:

index=myindex NullPointerException "history-service" | eval starttime=strftime(_time-1,"%m/%d/%Y:%H:%M:%S") | eval endtime=strftime(_time + 1,"%m/%d/%Y:%H:%M:%S") | map search="search index=myindex history-service earliest=$starttime$ latest=$endtime$" | where isnotnull(UID) | dedup UID | table UID

Doesn't earliest and latest handle epoch time?

0 Karma

woodcock
Esteemed Legend

you need to use 60, not 1 because epochs are in seconds, not minutes.

0 Karma

tenorway
Path Finder

Actually, I wanted to narrow to 1 second, but startet with 60 to be sure not to miss any while adjusting the search.

0 Karma

woodcock
Esteemed Legend

Try this:

index=myindex "NullPointerException myapplication" | head 1 | map search="search earliest=$_time$-60 latest=$_time$+60 index=myindex value-to-search-for"
0 Karma

tenorway
Path Finder

Still no results returned. By the way, I tried both the first search and the second search separately (Setting the time manually), and they both worked

My search string:
index=klpi NullPointerException history-service | head 1 | map search="search index=klpi history-service earliest=$_time$-60 latest=$_time$+60"

0 Karma

woodcock
Esteemed Legend

It looks like it does not like using $_time$; does this work for you?

index=myindex "NullPointerException myapplication" | head 1 | rename _time AS time | map search="search index=myindex value-to-search-for earliest=$time$-60 latest=$time$+60"

Be aware that the parser may be very sensitive to exact match of this so keep whitespace exactly the same as I have shown.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...