Splunk Search

Is it possible to name the main search and the subsearch to distinguish which search produced which values in a table?

peterchow
Explorer

Dear all,

I have a following search

host="1.1.1.1" VPN=A | join IP [search host="1.1.1.1" VPN=b] table _time,username

May I know is it possible give a name to the main search and sub search, such as searchA and searchB. so when I create a table, I can call out searchA._time and searchB._time

Thanks

0 Karma
1 Solution

badrinath_itrs
Communicator

Hi ,

You can try something like this to extract the _time value from main search or sub search .

host="1.1.1.1" VPN=A | eval OuterTime=_time| join IP [search host="1.1.1.1" VPN=b | eval InnerTime=_time ] table _time,username
OuterTime InnerTime

For such requirement, I would prefer to use stats command as it is much faster.

View solution in original post

0 Karma

badrinath_itrs
Communicator

Hi ,

You can try something like this to extract the _time value from main search or sub search .

host="1.1.1.1" VPN=A | eval OuterTime=_time| join IP [search host="1.1.1.1" VPN=b | eval InnerTime=_time ] table _time,username
OuterTime InnerTime

For such requirement, I would prefer to use stats command as it is much faster.

0 Karma

peterchow
Explorer

thanks a lot. It seems work but the time show sequence number. do you know why

0 Karma

badrinath_itrs
Communicator

Hi ,

The time format will be epoch timestamp and you need to convert to Human readable format using below command.

your search .. |convert timeformat="%Y %b %d %H:%M:%S:%3N" ctime(OuterTime) ctime(InnerTime)

Hope this resolves your query.

Additionally if this solves your query, please mark this thread as answered.

0 Karma

peterchow
Explorer

It works. Thanks a lot

0 Karma

sundareshr
Legend

You cannot name a search by you can achieve what you're looking for by renaming the fields in each of the searches, like so.

host="1.1.1.1" VPN=A | eval searchA_time=_time | join IP [search host="1.1.1.1" VPN=b | eval searchB_time=_time | fields searchB_time ] table searchA_time searchB_time username
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...