Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Subsearch return multiple fields

antb
Path Finder
‎03-27-2020 04:49 AM

Hi and thank you in advance. I've simplified the problem for brevity sake.

I'm trying to return multiple fields by way of using a subsearch. Looking for a recent match in index2 where there was an older event occurring in index1.

An example would be detecting an attack with previous reconnaissance.

index=index1 earliest=-5h@h latest=-1h@h dst=* [search index=index2 earliest=-15m latest=now() dest=* | head 1 | eval index2_time=_time | return dst=dest ]

This works, for finding a match. However, I want to pass up the _time of the more recent event in index2 (index2_time) and that doesn't appear to populate.

0 Karma
Reply

manjunathmeti
Champion
‎03-27-2020 06:10 AM

If index2_time field is part of index1 then check with format. If not, replace field name index2_time with timestamp field in index1 which contains _time values.

index=index1 earliest=-5h@h latest=-1h@h dst=* [ search index=index2 earliest=-15m latest=now() dest=* | head 1 | eval index2_time=_time | fields dest, index2_time | format ]
0 Karma
Reply

antb
Path Finder
‎04-07-2020 01:03 PM

Hi @manjunathmeti, I reviewed this response (and waited to see if there were others) but not sure I understand. index2_time is just the example I'm using where I bubble up the _time - I could have chose any field. The assignment to index2_time isn't being populated as I can only return a single field.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...