Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to name the main search and the subsearch to distinguish which search produced which values in a table?

peterchow
Explorer
‎05-17-2016 02:47 AM

Dear all,

I have a following search

host="1.1.1.1" VPN=A | join IP [search host="1.1.1.1" VPN=b] table _time,username

May I know is it possible give a name to the main search and sub search, such as searchA and searchB. so when I create a table, I can call out searchA._time and searchB._time

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

badrinath_itrs
Communicator
‎05-17-2016 05:46 AM

Hi ,

You can try something like this to extract the _time value from main search or sub search .

host="1.1.1.1" VPN=A | eval OuterTime=_time| join IP [search host="1.1.1.1" VPN=b | eval InnerTime=_time ] table _time,username
OuterTime InnerTime

For such requirement, I would prefer to use stats command as it is much faster.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

badrinath_itrs
Communicator
‎05-17-2016 05:46 AM

Hi ,

You can try something like this to extract the _time value from main search or sub search .

host="1.1.1.1" VPN=A | eval OuterTime=_time| join IP [search host="1.1.1.1" VPN=b | eval InnerTime=_time ] table _time,username
OuterTime InnerTime

For such requirement, I would prefer to use stats command as it is much faster.

0 Karma
Reply
Solved! Jump to solution

peterchow
Explorer
‎05-18-2016 12:49 AM

thanks a lot. It seems work but the time show sequence number. do you know why

0 Karma
Reply
Solved! Jump to solution

badrinath_itrs
Communicator
‎05-18-2016 04:29 PM

Hi ,

The time format will be epoch timestamp and you need to convert to Human readable format using below command. 

your search .. |convert timeformat="%Y %b %d %H:%M:%S:%3N" ctime(OuterTime) ctime(InnerTime)

Hope this resolves your query.

Additionally if this solves your query, please mark this thread as answered.

0 Karma
Reply
Solved! Jump to solution

peterchow
Explorer
‎05-18-2016 07:37 PM

It works. Thanks a lot

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎05-17-2016 05:18 AM

You cannot name a search by you can achieve what you're looking for by renaming the fields in each of the searches, like so.

host="1.1.1.1" VPN=A | eval searchA_time=_time | join IP [search host="1.1.1.1" VPN=b | eval searchB_time=_time | fields searchB_time ] table searchA_time searchB_time username
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...