Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to run different timerange in subsearch versus the original search?

rafasalo
Engager
‎09-08-2016 03:55 AM

Hi,

I'm trying to execute this query:

index=index_cbo  [search index=index_cbo 12018955000155 "An error ocurred during \"Conexão com servidores\" initialization step."| dedup CNPJ| table CNPJ]

12018955000155 is my ID.

Basically I would like to get all events of this id (12018955000155) in my index_cbo.

The problem is that I just get result up to the time of the last event with the Message "An error ocurred during \"Conexão com servidores\" initialization step.". To make it clear, I have, for example, 3 events with the correspondent time:

09:00:00 Message: Hello World
08:59:00 Message: An error ocurred during \"Conexão com servidores\" initialization step
07:40:00 Message: An error ocurred during \"Conexão com servidores\" initialization step

Instead of I get all the 3 events as a result of my query, I'm just getting the 2 bellows (the one of 8:59:00 and the another of 07:40:00)
Anyone can help me? I want to get the 3 events...

Thanks in advance!

PS: Just for the matter of testing, the example bellow I've forced my subsearch results in a table of just one id (12018955000155).

0 Karma
Reply

rafasalo
Engager
‎09-08-2016 05:55 AM

I've found the problem:

Here is the solution:

index=index_cbo  [search index=index_cbo 12018955000155 "An error ocurred during"| dedup CNPJ|rename CNPJ as CNPJ_WS | table CNPJ_WS]

The field that identifies the message 09:00:00 Message: Hello World is CNPJ_WS and not just CNPJ.
Thank you folks.

cheers

0 Karma
Reply

mchandrasekaran
Splunk Employee
Splunk Employee
‎09-09-2016 02:53 PM

Hi,

I am trying to pass the time from a subsearch to the main search. I used the rename function the way you have mentioned in the above comment, but it is not working. Any idea on what might be the issue?

This is the subsearch that I am using :

[|search source=wineventlog:security EventCode=4740 | rename _time as lockout_time | fields user,lockout_time]

Thank you

0 Karma
Reply

somesoni2
Revered Legend
‎09-09-2016 03:33 PM

You don't need a pipe at the start of this subsearch. Once, you fix that your fields user and lockout_time will be passed to main search. I'm assuming your base search has fields user and lockout_time and you want to use this subsearch as filter for those two field values.

0 Karma
Reply

mchandrasekaran
Splunk Employee
Splunk Employee
‎09-09-2016 05:07 PM

Yes, I am using user and lockout_time as a filter. I am able to pass it as _time, the problem arises when I use rename _time as lockout_time

0 Karma
Reply

sundareshr
Legend
‎09-09-2016 05:20 PM

You need to change the format of lookout_time in your sub-search. _time is in epoch format. To change the format you can use the strftime(lookout_time, "%m-%d-%Y") command (use appropriate modifiers)

0 Karma
Reply

mchandrasekaran
Splunk Employee
Splunk Employee
‎09-09-2016 05:28 PM

Got it. Thank you so much.

0 Karma
Reply

sundareshr
Legend
‎09-08-2016 04:11 AM

What do you get when you try this search 

index=index_cbo CNPJ="12018955000155"
0 Karma
Reply

rafasalo
Engager
‎09-08-2016 04:32 AM

Sorry, I have run my query again. when I search: index=index_cbo CNPJ="12018955000155" I get:

 08:59:00 Message: An error ocurred during \"Conexão com servidores\" initialization step
 07:40:00 Message: An error ocurred during \"Conexão com servidores\" initialization step

BTW the for the Message 09:00:00 Message: Hello World the name of the field is no CNPJ is CNPJ_WS.

0 Karma
Reply

sundareshr
Legend
‎09-08-2016 05:16 AM

So it appears your original, subsearch is returning correct results? What is your desired final output?

0 Karma
Reply

PPape
Contributor
‎09-08-2016 04:58 AM

you could try this: index=index_cbo (CNPJ="12018955000155" OR CNPJ_WS="12018955000155")

but I didn't really understand why you need a subsearch... maybe it would help if you pastebin a small sample of your data and give us a preview of the table you expect to see after your query

0 Karma
Reply

rafasalo
Engager
‎09-08-2016 04:12 AM 
 09:00:00 Message: Hello World
 08:59:00 Message: An error ocurred during \"Conexão com servidores\" initialization step
 07:40:00 Message: An error ocurred during \"Conexão com servidores\" initialization step

However, when I use the subsearch I just get 

 08:59:00 Message: An error ocurred during \"Conexão com servidores\" initialization step
 07:40:00 Message: An error ocurred during \"Conexão com servidores\" initialization step
0 Karma
Reply

sundareshr
Legend
‎09-08-2016 04:21 AM

Click on Job>>Inspect Job and in the pop up window, search for litsearch. What is in the final query? You should see something like index=index_cbo CNPJ="12018955000155"

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...