Solved: Re: How to do main search with same time frame of ...

hariram159 · ‎05-16-2020

Need to find out suspicious IPs and count of hits (sub search)
use those IPs and do outer search in same time frame of each result of subsearch
show fields of outer search and inner search count

Now i am getting wrong results because ip is dynamic (once ip used by attacker may be genuine ip at other time, i am getting genuine results of suspicious IP used once - time picker is last 6 months.).. now i want to search outer query in same timeframe of each subsearch result (need to find ip of success type who are blocked more than 50 times at same time)

Thanks in Advance.

to4kawa · ‎05-17-2020

sample(try time picker 24hours ago😞

index=_internal sourcetype=splunkd_ui_access 
    [ search index=_audit "_internal" 
    | eval earliest=relative_time(_time,"-5min@min"), latest=relative_time(_time,"+5min@min") 
    | streamstats count 
    | where count=1 OR count=100
    | fields earliest latest 
    | format]

If you use format, you can pass multiple results of a sub search like this.

Note: that if you also pass values for fields other than earliest and latest, you need to change the format args slightly.

reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format

View solution in original post

to4kawa · ‎05-17-2020

sample(try time picker 24hours ago😞

index=_internal sourcetype=splunkd_ui_access 
    [ search index=_audit "_internal" 
    | eval earliest=relative_time(_time,"-5min@min"), latest=relative_time(_time,"+5min@min") 
    | streamstats count 
    | where count=1 OR count=100
    | fields earliest latest 
    | format]

If you use format, you can pass multiple results of a sub search like this.

Note: that if you also pass values for fields other than earliest and latest, you need to change the format args slightly.

reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format

hariram159 · ‎05-17-2020

Let me try

hariram159 · ‎05-18-2020

THanks @to4kawa , This is working for me.. Thanks for your help..

to4kawa · ‎05-18-2020

Please post your final query so others can see it.

hariram159 · ‎05-18-2020

Here is my final query..

to4kawa · ‎05-18-2020

thanks @hariram159
Happy splunking!

hariram159 · ‎05-17-2020

as per doc i am returning as |fields src, earliest, latest , now it will work for outer search as below right for each result of subsearch ?

| outer query ("src1" AND earliest="earliest1" AND latest="latest1") OR ("src2" AND earliest="earliest2" AND latest="latest2")......

is this assumption right ?

to4kawa · ‎05-18-2020

index=_internal sourcetype=splunkd*
| eval earliest=_time-10, latest=_time+10 
| fields source earliest latest
| tail 2
| format

check sub search only.

hariram159 · ‎05-18-2020

yeah i do checked the subsearch only, i am getting the format as i assumed 🙂
but earlier and latest are returned as epoch times, i hope those also will work fine.

to4kawa · ‎05-18-2020

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers

Epoch time is no problem.

sanjeev543 · ‎05-17-2020

I agree with @to4kawa you need to use the earliest and latest properties in your searches.

You may try using your search below and add values for earliest and latest as per the need, so they both run for same time range

index=trace type=success earliest=-7d@d latest= now() | eval temp=split(ip,",") |eval src=mvindex(temp,0) | search [search index=trace type=blocks earliest=-7d@d latest= now()  | bin span=10m _time |eval temp=split(ip,",") |eval src=mvindex(temp,0)|stats count by src| where count > 50| fields src] | table _time src route

hariram159 · ‎05-17-2020

This will run outer search and sub search at same time range but this is not I want.
Suppose 1.1.1.1 is suspicious ip returned by subsearch occurred at 4/16/2020 21:00:00 then outer search has to search for 1.1.1.1 around 4/16/2020 20:55:00 to 4/16/2020 21:05:00.. similarly for other results of subsearch.
What I am getting is 1.1.1.1 is getting searched across all the time and getting wrong results as it might be genuine ip other time

to4kawa · ‎05-17-2020

How to do main search with same time frame of each result of subsearch

Your comment is not the same as your question. Please correct as appropriate.

and, you should use earliest and latest

This doesn't helping me out as I have asked..
read carefully

hariram159 · ‎05-17-2020

I hope I have posted with right title only... "Main search should happen at same time for each result of subsearch"

to4kawa · ‎05-16-2020

keep subsearch _time, create and use earliest and latest

hariram159 · ‎05-16-2020

How? Can you please mention how to use with query.. I have already tried that but I will try again..

to4kawa · ‎05-16-2020

You're the only one who knows the logs, so you'll have to make the queries.

https://answers.splunk.com/answers/527487/can-we-pass-earliest-and-latest-time-in-subsearch.html

hariram159 · ‎05-16-2020

This doesn't helping me out as I have asked.. this is just time picker to search the events... What I want is to match the time for the results obtained in the sub search with the time in main search to ensure those are actual events occurred at that time.

How to do main search with same time frame of each result of subsearch

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life