Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to parse outer search to get earliest and latest time range of subsearch?

shay
New Member
‎09-01-2020 11:22 PM

Hi,

I am trying to create a search the looks for specific signatures detected on the IPS and then returns all related firewall and proxy logs, grouped by each related set of events. I have written the following query. It is returning the correct results but taking hours to run and looks like the time fields are not being parsed to the outer search:

(index=ips OR index=firewall OR index=proxy)
     [search  index=ips signature_id  IN (25007, 25008,25009)
     | eval earliest=_time-300
     | eval latest = _time+60
     | fields earliest latest src_ip]
transaction src_ip

 

The search is run over 90days. The inner search completes after around 30sec and returns 6 results.
I am wanting to run the outer search for each of the six results (5min before the IPS event to 1min after).

While the results a get are correct, the search took 10hrs to run. If I manually enter the earliest and latest and src_ip  into the following each result only takes around 2min:

(index=ips OR index=firewall OR index=proxy) earliest=X latest=Y src_ip=Z
transaction src_ip

 

So I think the outer search is being run 6 times for either 'All Time' or 'Last 90days'. Can anyone assist me with getting the earliest and latest to parse so that it only runs the query on a 6min range for each result of the inner search?

 

Thanks very much.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-03-2020 11:08 AM
Can you try to get only
“| stats earliest_time(_time) as earliest latest_time(_time) as latest values(src_ip) “
from the Inner loop instead of those six separate earliest and latest?
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-03-2020 10:54 AM

yes, inner search takes time range from time range you chosen in time range picker. 

for example , if you choose last 90 days, inner search earliest time would be 90days-300seconds and latest time would now()+60 seconds.

I read your question properly understand that you want to pass different times based on your inner search results. is that right ?

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-02-2020 12:11 AM 
index=firewall OR index=proxy 
    [ search index=ips signature_id IN (25007, 25008,25009) 
        [| gentimes start=-1 
        | addinfo 
        | eval earliest=info_min_time-300,latest=info_max_time+60 
        | table earliest,latest] 
    | stats count by src_ip 
    | table src_ip
        ]
————————————
If this helps, give a like below.
0 Karma
Reply

shay
New Member
‎09-02-2020 04:54 PM

Thanks for your reply @thambisetty .

Unfortunately that isn't working. It is still taking many hours to run and now it returns 1000s of results. Results that do not match the times of the subsearch. It appears to be pulling the all the logs relating to any of the IPs from the last 90days.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...