Splunk Search

How to generate a conditional search based on time?

mstark31
Path Finder

I need to figure out a way to execute one of two different search strings based on the time range in a first search.

If a sample is more than 2 weeks old, the associated lab data is stored in a summary index. [search1]
If a sample is less than 2 weeks old, the lab data will need to be live-calculated via a much more complicated search string (includes subsearch, join, dedup). [search2]

I tried to use multisearch, but since search2 contains non-streaming commands ( join & dedup), that didn't work.

Search1 and Search2 both return fields sample_name and sample_value, so not a single value. My understanding is that this prevents me from using eval/if based on _time or a time token from my search.

base search
| join sample_name
[ run either search1 or search2]
| table sample_name sample_value
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

base search
| join sample_name
[[|noop|stats count AS search | addinfo | eval search=if(info_max_time<relative_time(now(), "-14d@d"), "Search1 String Here", "Search2 String Here")]]
| table sample_name sample_value

View solution in original post

mstark31
Path Finder

Thank you everyone for your answers.
I ended up going in a slightly different direction with my solution, but I've learned so many new things based on your collective input.

0 Karma

woodcock
Esteemed Legend

So up-vote the useful answers and then pick the best one (or yours, this one) and click Accept to close the question.

woodcock
Esteemed Legend

Try this:

|noop|stats count AS search | addinfo | eval search=if(info_max_time<relative_time(now(), "-14d@d"), "Search1 String Here", "Search2 String Here") | map search="search  base search
| join sample_name [ $search$ ]
| table sample_name sample_value"
0 Karma

woodcock
Esteemed Legend

Like this:

base search
| join sample_name
[[|noop|stats count AS search | addinfo | eval search=if(info_max_time<relative_time(now(), "-14d@d"), "Search1 String Here", "Search2 String Here")]]
| table sample_name sample_value

mstark31
Path Finder

Are there any restrictions with using noop in a subsearch?
I tried this but got the error:
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '195' of search query 'search index=...{snipped} {errorcontext = [ [|noop }'

0 Karma

woodcock
Esteemed Legend

OK, see my other answer where I turn it inside out and use map instead of a nested subsearch.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Here is how I'll try

Step1) create a saved search for each of search1 and search2, full query that you want to execute on the subsearch. Just a simple saved search. Say the names are search1 and search2 itself.

Step2) update your query like this

base search
 | join sample_name
 [ | savedsearch [| gentimes start=-1 | addinfo | eval search=if((info_max_time-info_min_time)>14*86400"search1","search2") | table search ] nosubstitution=t]
 | table sample_name sample_value

The addinfo command adds the fields info_min_time and info_max_time which are the earliest and latest value of the time range that you've selected. If will run subsearch | savedsearch search1 if the selected time range is more than 2 weeks/14 days or will run | savedsearch search2 otherwise.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

The question says "more than 2 weeks old" is the criteria, so you are probably needing something like if(info_max_time <= info_search_time -14*86400,...

0 Karma

niketn
Legend

@mstark31, here is one way to do it...

1) Whatever is the timerange in the first search, you can define a Time input for the same. I have used tok_time as time in my example.

  <fieldset submitButton="false">
    <input type="time" token="tok_time" searchWhenChanged="true">
      <label>Select Time</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>

2) Run a dumy search to compare selected Earliest and Latest Time and set the index/environment name as summary or realtime (ideally to be passed to a macro to set criteria of the base search etc.)

  <!-- Dummy Search to set index name for main query based on time range selected -->
  <search>
    <query>| makeresults
  | eval now=_time</query>
      <earliest>$tok_time.earliest$</earliest>
      <latest>$tok_time.latest$</latest>
    <sampleRatio>1</sampleRatio>
    <preview>
          <!-- Compare Todays Date with Earliest Time in the Time Range and 
         if greater than 2 week (2*7*24*60*60=1209600 seconds) set Summary 
         else set Realtime index-->
          <condition match="$result.now$-$job.searchEarliestTime$>1209600">
            <set token="selectedIndex">summary</set>
          </condition>
          <condition>
            <set token="selectedIndex">realtime</set>
          </condition>
    </preview>
</search>

Finally use the $selectedIndex$ token to set index to summary. Ideally through a macro which takes string values for environment as a paramter, this we you can set other criteria for base search if you want like summary index will have sourcetype as stash.

<!-- Use $selectedIndex$ token to set index in main search-->
<search>
  <query> base search
  | join sample_name
    [ `setindex($selectedIndex$)`
      |<remaining Search> ]
  | table sample_name sample_value
  </query>
</search>

PS: One more condition you can try out is to see if Earliest and Latest time spans for more than two weeks then go for Summary Index

 <condition match="$job.searchLatestTime$-$job.searchEarliestTime$>1209600">
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...