Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join time selector based on event of main search

agodoy
Communicator
‎06-11-2013 01:49 PM

Is it possible to do a search with a join and the events from the join search be relative to the time of the events of the main search?

Lets say sourceA returns web server access log. SourceB has a running lists of IP address and systems that were assigned the IP address.

For example, web server log has IP address 192.168.1.2 at around 2 pm. I want to search sourceB from 1pm to 3pm. Both sources have the src_ip field.

Example search:
sourceA | join src_ip [search sourceB]

Any ideas?

Tags (1)
0 Karma
Reply

chris
Motivator
‎06-11-2013 02:14 PM

This is probably not what you want but you may be able to use the map command to get some results:

index=_internal | stats count by host | addinfo |eval info_min_time=info_min_time-3600 | eval info_max_time=info_max_time+3600 | map search="search index=_internal host=$host$ starttimeu=$info_min_time$ endtimeu=$info_max_time$ | fields _raw"

stats is used to return a list of the hosts in the base search
addinfo adds the search timess of the search
the evals change the span to whatever you want (+1h and -1h of the original searchspan)
the map command will loop through every result (the list of hosts with the modified inf_min/max_time fields and do a search you want

Someone else is going to have a better idea ...

0 Karma
Reply

agodoy
Communicator
‎06-14-2013 06:11 AM

I am running 4.3. The same search worked the next day, but the results were not quite what I was expecting.

0 Karma
Reply

chris
Motivator
‎06-12-2013 01:37 PM

Hi agody, I just ran the following search on a test instance and it worked fine index=* | head 10 | rename _time as time | map search="search index=* earliest=$time$" what version of Splunk are you running on

0 Karma
Reply

agodoy
Communicator
‎06-11-2013 02:45 PM

Hmm. I cant seem to get the map command to work.

Trying a simple search:
sourceA src_ip=X | rename _time as time | map search="index=y earliest=$time$"
Getting: [EventsViewer module] Error in 'map': Did not find value for required attribute 'time'.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...