Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Pass time value into another search

bigrichie90
Path Finder
‎10-22-2014 08:33 AM

I have this query in which I join with another query. I want to take the earliest event of the first query, go back a certain amount of time (days, let's say a day = 86400 seconds) and plug that value into the earliest function in the second query. I have tried reformatting the time as stated in the docs and I keep getting a "Invalid value start for time term earliest". Is there a way, or a simpler way, of doing this?

source1 | stats earliest(_time) AS start | eval start=start-86400 | eval start=strftime(start, "%m/%d/%Y :%H:%M:%S") | eval event=_time | . . . | join dest_ip [search source2  _time<event **earliest=start** | . . .| dedup dest_ip sortby -_time]
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-22-2014 09:16 AM

I would approach this with a subsearch. The subsearch (when filtering) is evaluated first, and its results are passed to the outer search, similar to "here documents" in a shell.

It looks to me like you want "find thing one, then go back up to a day and find thing two"? To make the search a bit easier, I'd actually turn the two around, maybe something like this.

source2  [ search source1 | stats earliest(_time) AS earliest, latest(_time) AS latest | eval earliest=earliest-86400 | return earliest, latest ]
| join dest_ip [ search source1 ... ]
| dedup dest_ip
| sort - _time

My thinking here is that the time range picker will apply to the subsearch in the join, but our time math will govern the time range of the search on source2.

0 Karma
Reply

bigrichie90
Path Finder
‎10-22-2014 09:23 AM

This seems to be closer to what I need. However, the reason source1 is the first query is so I can restrict source2's events to the ones that happened BEFORE each event in source1. Otherwise, current events from source1 will show up and distort the accuracy. (that's what the _timeLESSTHANevent was for) ---Sorry weird formatting when using the less than symbol.

0 Karma
Reply

bigrichie90
Path Finder
‎10-22-2014 09:12 AM

Edited. However, seconds are not the problem. The fact that the search will not run is the focus.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-22-2014 09:17 AM

Yeah, no worries, I was just in process typing up the search idea.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-22-2014 09:08 AM

A day is 86400 seconds.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...