Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Return Timestamp from inner and outter search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to create a search that finds two sequential events. So far I have:
index=wineventlog EventCode=4624 [ search index=wineventlog EventCode=4625 | eval earliest=_time | eval latest=_time+600 | fields earliest latest ComputerName ]
This works and returns successful windows logins that follow a failed login within a 10min period. What I want to do though is return a table that shows the time that the first event occurred and the time that the second triggering event occurred. I tried appending:
| table ComputerName earliest _time
But the earliest field comes back blank when I want that to be showing the time stamp fo the event that matched the subsearch.
Any help would be appreciated. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you trying to match anything from your sub-search? if not, can you try this?
index=wineventlog earliest="-10m@m" latest="now" EventCode=4624 OR EventCode=4625 | fields _time EventCode ComputerName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you trying to match anything from your sub-search? if not, can you try this?
index=wineventlog earliest="-10m@m" latest="now" EventCode=4624 OR EventCode=4625 | fields _time EventCode ComputerName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nareshinsvu
Thanks for your answer.
I need to match the ComputerName from the subsearch and then use the time from the subsearch to find other events in the same time period.
In the example, I want to find all successful logins over the last week that occur within 10min of a failed login on the same computer.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I read it wrong. Can you try this? tweak the time format according to your need. Hope this should help now?
index=wineventlog EventCode=4624 OR EventCode=4625
| eval failed_time=if(EventCode=4625,strftime(_time,"%Y-%m-%dT%H:%M:%S"),"")
|eval Success_time=if(EventCode=4624,strftime(_time,"%Y-%m-%dT%H:%M:%S"),"")
| stats list(EventCode) as EventCode range(_time) AS duration values(failed_time) as failed_time values(Success_time) as Success_time BY ComputerName
| rex field=duration mode=sed "s/\..*$//"
| where duration <600
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. Not quite working yet, but I think you have pointed me down the right track.
Thanks.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
