Splunk Search

Search help - need sub search to return time and host value for new search

Jaci
Splunk Employee
Splunk Employee

The first search (1) will return host values and time values. Need to have those values used in another search (2)

  1. search earliest=5/2/2010:18:00:00 latest=5/3/2010:18:00:00 | bucket _time span=10s | stats count(domain) as domain_count by _time host | autoregress domain_count p=1-5 | where domain_count/domain_count_p1 < .10

I get all kinds of errors when running the below search .. I just do not know how to get the outside search to use the returned time and host values from the sub search.

  1. search earliest =-60m latest=_time host=host | " some other splunk stuff " [ search earliest=5/2/2010:18:00:00 latest=5/3/2010:18:00:00 | bucket _time span=10s | stats count(domain) as domain_count by _time host | autoregress domain_count p=1-5 | where domain_count/domain_count_p1 < .10 | fields _time, host]
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

when the fields come out of the subsearch, they'll use the field names that they had in the inner search, cause they dont know any better.

You can see this for yourself, that is see what search is actually getting run in the outer search, by running the whole shebang (getting 0 results), and then going to "actions > Inspect Search" in 4.1.

Scroll down and look for the strange looking "rtlitsearch" entry. Ignore the other weird looking stuff in there cause it doesnt matter, but somewhere in there you'll see the terms that are getting contributed to the outer search from the inner search, and they'll look like :

last_time=1342143902 last_host=some_host_value start_time=12314124214

which wont work.

if you want time terms to come out, they have to be called earliest and latest and the 'last_host' field should be called just plain old 'host'.

Also i dont think you can use earliest and latest as a part of an OR or anything, so there'll probably have to be a | head 1 in your inner search.

View solution in original post

sideview
SplunkTrust
SplunkTrust

when the fields come out of the subsearch, they'll use the field names that they had in the inner search, cause they dont know any better.

You can see this for yourself, that is see what search is actually getting run in the outer search, by running the whole shebang (getting 0 results), and then going to "actions > Inspect Search" in 4.1.

Scroll down and look for the strange looking "rtlitsearch" entry. Ignore the other weird looking stuff in there cause it doesnt matter, but somewhere in there you'll see the terms that are getting contributed to the outer search from the inner search, and they'll look like :

last_time=1342143902 last_host=some_host_value start_time=12314124214

which wont work.

if you want time terms to come out, they have to be called earliest and latest and the 'last_host' field should be called just plain old 'host'.

Also i dont think you can use earliest and latest as a part of an OR or anything, so there'll probably have to be a | head 1 in your inner search.

g_prez
Path Finder

Jacki posted this question for me ...

This was the inner search [search earliest=5/3/2010:17:55:00 latest=5/3/2010:18:00:00 | bucket _time span=10s | stats count(domain) as domain_count by _time host | autoregress domain_count p=1-5 | where domain_count/domain_count_p1 < .10 | eval last_time= _time | eval last_host= host | eval start_time = last_time - 36000 | fields last_time, last_host, start_time]

The above search will return back the time windows and host that I want to do the outer search on ..

search * host=last_host earliest=last_time latest=start_time ...

I get back nothing .. from the outer search ... but the inner search return the results !

Help ... I am not to sure how to get splunk to read the values from the inter search as variables for the search time window and host.

gprez

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I don't know what you are trying to do with this, regardless of the subsearch:

search earliest =-60m latest=_time host=host | " some other splunk stuff "

You already have a time range and host here. How is that supposed to relate to whatever you get back from a subsearch? What is " some other splunk stuff "? A literal? Search commands? Query terms? This matters.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...