Solved: How to subsearch/multisearch date based on minimum...

arusoft · ‎03-29-2022

lets say I have a subsearch or multisearch.

I want to have my subsearch/multisearch date to be 30 days before the start of main search date.

Right now i have it hardcoded all the way from start date of my data . But in reality I am interested only 30 day before main search. The main search will be something like "Before 03/01/2022". So here my subsearch earliest date should be from "03/01/2022" minus 30 days till "03/01/2022"

| multisearch
[search index="abc" ]
[search index="xyz" earliest="11/01/2021:20:00:00"]

Thanks.

somesoni2 · ‎03-30-2022

Give this a try

| multisearch
[search index="abc" ]
[search index="xyz" [| makeresults | addinfo | eval earliest=relative_time(info_max_time,"-30d@d") | eval latest=info_max_time | table earliest latest]]

View solution in original post

somesoni2 · ‎03-30-2022

Give this a try

| multisearch
[search index="abc" ]
[search index="xyz" [| makeresults | addinfo | eval earliest=relative_time(info_max_time,"-30d@d") | eval latest=info_max_time | table earliest latest]]

arusoft · ‎03-30-2022

Thaks @somesoni2. Below is simple test based on your example and this is working fine, but I am not understanding what is going on here ? Why are they in brackets []? Are we overwriting time modifiers earliest and latest fields? If yes why are these fields not highlighted in green color indicating that they are time modifiers fields.

index="xxx" [| makeresults | addinfo | eval earliest=relative_time(info_min_time,"-30d@d") | eval latest=info_max_time | table earliest latest]
|timechart span=1d count

Also why is this not working. This looks like just ignoring the eval I did similar to above.

index="xxx" 
| addinfo 
| eval earliest=relative_time(info_min_time,"-30d@d") 
| eval latest=info_max_time 
|timechart span=1d count

Thanks

somesoni2 · ‎03-31-2022

The subsearch with "makeresults" is generating custom time range, earliest and latest. Using it in the way mentioned here, will add (behind the scene) "earliest=<value> AND latest=<value>" in the subsearch using it. Since it happens behind the scene, syntax is not highlighted.

| multisearch
[search index="abc" ]
[search index="xyz" [| makeresults | addinfo | eval earliest=relative_time(info_max_time,"-30d@d") | eval latest=info_max_time | table earliest latest]]

Below search doesn't work because, earliest and latest is being added as field and not as filter.

index="xxx" 
| addinfo 
| eval earliest=relative_time(info_min_time,"-30d@d") 
| eval latest=info_max_time 
| timechart span=1d count

gcusello · ‎03-29-2022

Hi @arusoft,

you could use a larger time period for both the searches (e.g. two monts), then in the main search put an additional limitation like this:

your_main_search
| eval main_earliest=relative_time(earliest,"-30d")
| search _time>main_earliest
| ...

and in the subsearch use something like this:

your_main_search
| eval sub_latest=relative_time(earliest,"-30d")
| search _time<sub_latest
| ...

Obviously it isn't a very performant search!

if you have few events, you can use as it is, otherwise you have to accelerate it using e.g. a summary indexes.

Ciao.

Giuseppe

arusoft · ‎03-30-2022

Thanks @gcusello .

Below is what I tried and I am getting no data. I have data all the way form Nov 1, 2021. And I ran the below search for last 30 days. So I was hoping it would give me data from last 60 days since I am going 30 earlier than my earliest main search. BTW I am running this directly in search and not in dashboard.

index=xxx
| eval main_earliest=relative_time(earliest,"-30d")
| search _time>main_earliest

gcusello · ‎03-31-2022

Hi @arusoft,

please try this:

index=xxx
| addinfo
| eval main_earliest=relative_time(info_min_time,"-30d")
| search _time>main_earliest

Ciao.

Giuseppe

How to subsearch/multisearch date based on minimum of main search?

subsearch

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?