I'm looking to take events from a subsearch, and find correlating events in a main search. The scenario is something like this:
subsearch will find an event of interest and pass certain fields to the outer search. notably the time of the event and hostname.
In the main search, go back ~5m from the "event time" from the subsearch. A basic example is what I'm working with now. Thanks for the help.
index=applogin sourcetype=logins login=success [search index="application" sourcetype="app:syslog" application=something | table _time,index,sourcetype,hostname,filename,path | fields time hostname] | table _time user apptext
In splunk, it's usually best to just specify the individual records you need connected together, rather than trying to do correlated searches.
You can read a full explanation/analogy why on this thread - https://answers.splunk.com/answers/561130/sql-analogy-for-my-log-search-join-two-tables-wher.html
It looks like you need these...
search index="application" sourcetype="app:syslog" application=something hostname=* | table _time hostname app_text
...connected to these...
index=app_login sourcetype=logins login=success hostname2=* | table _time hostname2 user
So to accomplish that, you should do something like this...
((index="application" sourcetype="app:syslog" application=something hostname=*) OR ( index=app_login sourcetype=logins login=success hostname2=*)) | rename COMMENT as "the above selects all the records that might be relevant on either side" | rename COMMENT as "adjust the name of the match field- host in this case - if it was different " | eval hostname=if(index=app_login,hostname2,hostname) | rename COMMENT as "cut down to the fields we really need. " | table _time index hostname user app_text | rename COMMENT as "sort in order and then copy the most recent user name within 5 minutes (LastUser5m) " | rename COMMENT as "and all user names within 5 minutes (AllUsers5m) from the same host " | sort 0 _time | streamstats current=t timewindow=300s last(user) as LastUser5m, values(user) as AllUsers5m by hostname | rename COMMENT as "kill unneeded records and mark any where no users were found" | where index!=app_login | fillnull value="not found" LastUser5m AllUsers5m
You don't need
table in the subsearch.
What do you get when you run the subsearch by itself?
index="application" sourcetype="app:syslog" application=something | fields _time hostname | format