index=trace type=success | eval temp=split(ip,",") |eval src=mvindex(temp,0) | search [search index=trace type=blocks | bin span=10m _time |eval temp=split(ip,",") |eval src=mvindex(temp,0)|stats count by src| where count > 50| fields src] | table _time src route
Now i am getting wrong results because ip is dynamic (once ip used by attacker may be genuine ip at other time, i am getting genuine results of suspicious IP used once - time picker is last 6 months.).. now i want to search outer query in same timeframe of each subsearch result (need to find ip of success type who are blocked more than 50 times at same time)
Thanks in Advance.
sample(try time picker 24hours ago😞
index=_internal sourcetype=splunkd_ui_access
[ search index=_audit "_internal"
| eval earliest=relative_time(_time,"-5min@min"), latest=relative_time(_time,"+5min@min")
| streamstats count
| where count=1 OR count=100
| fields earliest latest
| format]
If you use format
, you can pass multiple results of a sub search like this.
Note: that if you also pass values for fields other than earliest and latest, you need to change the format
args slightly.
reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format
sample(try time picker 24hours ago😞
index=_internal sourcetype=splunkd_ui_access
[ search index=_audit "_internal"
| eval earliest=relative_time(_time,"-5min@min"), latest=relative_time(_time,"+5min@min")
| streamstats count
| where count=1 OR count=100
| fields earliest latest
| format]
If you use format
, you can pass multiple results of a sub search like this.
Note: that if you also pass values for fields other than earliest and latest, you need to change the format
args slightly.
reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Format
Let me try
THanks @to4kawa , This is working for me.. Thanks for your help..
Please post your final query so others can see it.
Here is my final query..
index=trace type=success | eval temp=split(ip,",") |eval src=mvindex(temp,0) | search [search index=trace type=blocks | bin span=10m _time |eval temp=split(ip,",") |eval src=mvindex(temp,0)| eval earliest=relative_time(_time,"-5min@min"), latest=relative_time(_time,"+5min@min") | streamstats count by src | where count > 50 | fields src,earliest,latest |format] | table _time src id | sort -_time
thanks @hariram159
Happy splunking!
as per doc i am returning as |fields src, earliest, latest , now it will work for outer search as below right for each result of subsearch ?
| outer query ("src1" AND earliest="earliest1" AND latest="latest1") OR ("src2" AND earliest="earliest2" AND latest="latest2")......
is this assumption right ?
index=_internal sourcetype=splunkd*
| eval earliest=_time-10, latest=_time+10
| fields source earliest latest
| tail 2
| format
check sub search only.
yeah i do checked the subsearch only, i am getting the format as i assumed 🙂
but earlier and latest are returned as epoch times, i hope those also will work fine.
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers
Epoch time is no problem.
I agree with @to4kawa you need to use the earliest
and latest
properties in your searches.
You may try using your search below and add values for earliest and latest as per the need, so they both run for same time range
index=trace type=success earliest=-7d@d latest= now() | eval temp=split(ip,",") |eval src=mvindex(temp,0) | search [search index=trace type=blocks earliest=-7d@d latest= now() | bin span=10m _time |eval temp=split(ip,",") |eval src=mvindex(temp,0)|stats count by src| where count > 50| fields src] | table _time src route
This will run outer search and sub search at same time range but this is not I want.
Suppose 1.1.1.1 is suspicious ip returned by subsearch occurred at 4/16/2020 21:00:00 then outer search has to search for 1.1.1.1 around 4/16/2020 20:55:00 to 4/16/2020 21:05:00.. similarly for other results of subsearch.
What I am getting is 1.1.1.1 is getting searched across all the time and getting wrong results as it might be genuine ip other time
How to do main search with same time frame of each result of subsearch
Your comment is not the same as your question. Please correct as appropriate.
and, you should use earliest
and latest
This doesn't helping me out as I have asked..
read carefully
I hope I have posted with right title only... "Main search should happen at same time for each result of subsearch"
keep subsearch _time, create and use earliest
and latest
How? Can you please mention how to use with query.. I have already tried that but I will try again..
You're the only one who knows the logs, so you'll have to make the queries.
https://answers.splunk.com/answers/527487/can-we-pass-earliest-and-latest-time-in-subsearch.html
This doesn't helping me out as I have asked.. this is just time picker to search the events... What I want is to match the time for the results obtained in the sub search with the time in main search to ensure those are actual events occurred at that time.