Splunk Search

Modify subsearch time starting with timerange picker token

mstark31
Path Finder

I have a situation where I want to run a main search of one index over a time period driven by the time picker on a dashboard, but annotate the results with information from a second search. The subsearch doing the annotation needs to run over a time period that searches a week earlier than the main search.

My subsearch:

| join foo type=outer [search earliest=$field1.earliest$-604800 index="someindex" 

This works fine as long as the format of the time coming from the token is relative (@w, -d@d, etc.). If that token value is epoch time format (using date or date/time on the picker), the subsearch doesn’t run.

earliest=1511969191-608400 will not evaluate. earliest=@w-604800 will evaluate.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this (adding another subsearch within join subsearch which returns manipulated earliest)

...base search
| join foo type=outer [search index="someindex" [| gentimes start=-1 | addinfo | eval earliest=info_min_time-604800 | table earliest] ..rest of join subsearch...

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try like this (adding another subsearch within join subsearch which returns manipulated earliest)

...base search
| join foo type=outer [search index="someindex" [| gentimes start=-1 | addinfo | eval earliest=info_min_time-604800 | table earliest] ..rest of join subsearch...

mstark31
Path Finder

Thank you! This appears to be working.
If I wanted to alter the latest time to be based on an offset from the earliest time, would this work? Examples is to make lastest time 5min after earliest time.

[| gentimes start=-1 | addinfo | eval latest=info_min_time+300 | table latest]

Also, why do you use table vs. return in the last pipe of the gentimes subsearch?

0 Karma

Cuyose
Builder

For some reason I can not get this to work. I simply want the entire dashboard to offset the latest time by 5 minutes. If I try the suggestion above in a query window with my base search for some reason it alters the earliest time to months ago. Not sure whats going on can't I just do this?

basesearch
[| gentimes start=-1 | addinfo | eval latest=info_max_time-300 | table latest]
|join.......

0 Karma

mstark31
Path Finder

I think I was having issues with the suggestion here as well, but I ended up going another route for my original problem. Thank you for coming up with a better solution!

0 Karma

Cuyose
Builder

I figured this out, added the earliest variable and used return at the beginning of the base search.

[| gentimes start=-1
| addinfo
| eval earliest=info_min_time
| eval latest=info_max_time-300
| return earliest latest]

somesoni2
SplunkTrust
SplunkTrust

For your latest time override,I would update the latest as well as earliest in subsearch else, earliest would be default to 0 (all times).

[| gentimes start=-1 | addinfo | eval latest=info_min_time+300 | eval earliest=info_min_time | table earliest latest]

If you want to return single field (like in first case), you can use either of table or return. Table command is useful when returning multiple fields (like in above case)

0 Karma

mstark31
Path Finder

Thank you! I inadvertently discovered the need to specify an earliest time with the latest time in another search yesterday, so good reminder.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...