Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Subsearch return multiple fields

antb
Path Finder
‎03-27-2020 04:49 AM

Hi and thank you in advance. I've simplified the problem for brevity sake.

I'm trying to return multiple fields by way of using a subsearch. Looking for a recent match in index2 where there was an older event occurring in index1.

An example would be detecting an attack with previous reconnaissance.

index=index1 earliest=-5h@h latest=-1h@h dst=* [search index=index2 earliest=-15m latest=now() dest=* | head 1 | eval index2_time=_time | return dst=dest ]

This works, for finding a match. However, I want to pass up the _time of the more recent event in index2 (index2_time) and that doesn't appear to populate.

0 Karma
Reply

manjunathmeti
Champion
‎03-27-2020 06:10 AM

If index2_time field is part of index1 then check with format. If not, replace field name index2_time with timestamp field in index1 which contains _time values.

index=index1 earliest=-5h@h latest=-1h@h dst=* [ search index=index2 earliest=-15m latest=now() dest=* | head 1 | eval index2_time=_time | fields dest, index2_time | format ]
0 Karma
Reply

antb
Path Finder
‎04-07-2020 01:03 PM

Hi @manjunathmeti, I reviewed this response (and waited to see if there were others) but not sure I understand. index2_time is just the example I'm using where I bubble up the _time - I could have chose any field. The assignment to index2_time isn't being populated as I can only return a single field.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...