Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Subsearch return multiple fields

antb
Path Finder
‎03-27-2020 04:49 AM

Hi and thank you in advance. I've simplified the problem for brevity sake.

I'm trying to return multiple fields by way of using a subsearch. Looking for a recent match in index2 where there was an older event occurring in index1.

An example would be detecting an attack with previous reconnaissance.

index=index1 earliest=-5h@h latest=-1h@h dst=* [search index=index2 earliest=-15m latest=now() dest=* | head 1 | eval index2_time=_time | return dst=dest ]

This works, for finding a match. However, I want to pass up the _time of the more recent event in index2 (index2_time) and that doesn't appear to populate.

0 Karma
Reply

manjunathmeti
Champion
‎03-27-2020 06:10 AM

If index2_time field is part of index1 then check with format. If not, replace field name index2_time with timestamp field in index1 which contains _time values.

index=index1 earliest=-5h@h latest=-1h@h dst=* [ search index=index2 earliest=-15m latest=now() dest=* | head 1 | eval index2_time=_time | fields dest, index2_time | format ]
0 Karma
Reply

antb
Path Finder
‎04-07-2020 01:03 PM

Hi @manjunathmeti, I reviewed this response (and waited to see if there were others) but not sure I understand. index2_time is just the example I'm using where I bubble up the _time - I could have chose any field. The assignment to index2_time isn't being populated as I can only return a single field.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...