Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to make subsearch use same time range, same index, same sourcetype as outer search?

petenetwork
Explorer
‎06-13-2019 08:15 PM

So I specify an outer query, it usually starts like this:

earliest=06/14/2019:13:00:00 latest=06/14/2019:14:00:00
index=os sourcetype=ps

So far, so good. Now I want to find all PIDs using the same Java command line, e.g.

|search [search
  CMD=java*
  |table CMD
]

Then summarise the results:

|stats values(PID) as PIDs by CMD

The issue is that my subsearch doesn't seem to default itself to the earliest and latest fields I specified at the very beginning of the query. In fact I have to pad my subsearch like this:

|search [search
  earliest=06/14/2019:13:00:00 latest=06/14/2019:14:00:00
  index=os sourcetype=ps      
  CMD=java*
  |table CMD
]

This is unnecessarily bulky. And I don't want to have to specify the time range multiple times.

How can I make my inner search (the "subsearch") adhere to the earliest and latest keywords specified to the outer search?

0 Karma
Reply

ragedsparrow
SplunkTrust
SplunkTrust
‎06-13-2019 08:52 PM

No, unfortunately. An outer search cannot pass values into a subsearch. Subsearches run before the outer searches so they can't get values that aren't there to begin with.

0 Karma
Reply

petenetwork
Explorer
‎06-13-2019 09:07 PM

Then how about the inverse? Does the outer search obey the limits set by the inner search? Will earliest and latest be honoured by the outer search if they are not explicitly overridden?

0 Karma
Reply

ragedsparrow
SplunkTrust
SplunkTrust
‎06-13-2019 09:23 PM

It can be done. The way it is done is kind of convoluted. I've never used it myself, but here is a very similar example where it was successfully done:

https://answers.splunk.com/answers/136791/use-a-subsearch-to-define-earliest-and-latest-for-main-sea...

You could use this example and build your query off of it to pass the time range from the subsearch to the outer search. I tested the example and it does sucessfully substitute the Outer and Sub search time ranges.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...