Splunk Search

How to run different timerange in subsearch versus the original search?

rafasalo
Engager

Hi,

I'm trying to execute this query:

index=index_cbo  [search index=index_cbo 12018955000155 "An error ocurred during \"Conexão com servidores\" initialization step."| dedup CNPJ| table CNPJ]

12018955000155 is my ID.

Basically I would like to get all events of this id (12018955000155) in my index_cbo.

The problem is that I just get result up to the time of the last event with the Message "An error ocurred during \"Conexão com servidores\" initialization step.". To make it clear, I have, for example, 3 events with the correspondent time:

09:00:00 Message: Hello World
08:59:00 Message: An error ocurred during \"Conexão com servidores\" initialization step
07:40:00 Message: An error ocurred during \"Conexão com servidores\" initialization step

Instead of I get all the 3 events as a result of my query, I'm just getting the 2 bellows (the one of 8:59:00 and the another of 07:40:00)
Anyone can help me? I want to get the 3 events...

Thanks in advance!

PS: Just for the matter of testing, the example bellow I've forced my subsearch results in a table of just one id (12018955000155).

0 Karma

rafasalo
Engager

I've found the problem:

Here is the solution:

index=index_cbo  [search index=index_cbo 12018955000155 "An error ocurred during"| dedup CNPJ|rename CNPJ as CNPJ_WS | table CNPJ_WS]

The field that identifies the message 09:00:00 Message: Hello World is CNPJ_WS and not just CNPJ.
Thank you folks.

cheers

0 Karma

mchandrasekaran
Splunk Employee
Splunk Employee

Hi,

I am trying to pass the time from a subsearch to the main search. I used the rename function the way you have mentioned in the above comment, but it is not working. Any idea on what might be the issue?

This is the subsearch that I am using :

[|search source=wineventlog:security EventCode=4740 | rename _time as lockout_time | fields user,lockout_time]

Thank you

0 Karma

somesoni2
Revered Legend

You don't need a pipe at the start of this subsearch. Once, you fix that your fields user and lockout_time will be passed to main search. I'm assuming your base search has fields user and lockout_time and you want to use this subsearch as filter for those two field values.

0 Karma

mchandrasekaran
Splunk Employee
Splunk Employee

Yes, I am using user and lockout_time as a filter. I am able to pass it as _time, the problem arises when I use rename _time as lockout_time

0 Karma

sundareshr
Legend

You need to change the format of lookout_time in your sub-search. _time is in epoch format. To change the format you can use the strftime(lookout_time, "%m-%d-%Y") command (use appropriate modifiers)

0 Karma

mchandrasekaran
Splunk Employee
Splunk Employee

Got it. Thank you so much.

0 Karma

sundareshr
Legend

What do you get when you try this search

index=index_cbo CNPJ="12018955000155"
0 Karma

rafasalo
Engager

Sorry, I have run my query again. when I search: index=index_cbo CNPJ="12018955000155" I get:

 08:59:00 Message: An error ocurred during \"Conexão com servidores\" initialization step
 07:40:00 Message: An error ocurred during \"Conexão com servidores\" initialization step

BTW the for the Message 09:00:00 Message: Hello World the name of the field is no CNPJ is CNPJ_WS.

0 Karma

sundareshr
Legend

So it appears your original, subsearch is returning correct results? What is your desired final output?

0 Karma

PPape
Contributor

you could try this: index=index_cbo (CNPJ="12018955000155" OR CNPJ_WS="12018955000155")

but I didn't really understand why you need a subsearch... maybe it would help if you pastebin a small sample of your data and give us a preview of the table you expect to see after your query

0 Karma

rafasalo
Engager
 09:00:00 Message: Hello World
 08:59:00 Message: An error ocurred during \"Conexão com servidores\" initialization step
 07:40:00 Message: An error ocurred during \"Conexão com servidores\" initialization step

However, when I use the subsearch I just get

 08:59:00 Message: An error ocurred during \"Conexão com servidores\" initialization step
 07:40:00 Message: An error ocurred during \"Conexão com servidores\" initialization step
0 Karma

sundareshr
Legend

Click on Job>>Inspect Job and in the pop up window, search for litsearch. What is in the final query? You should see something like index=index_cbo CNPJ="12018955000155"

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...