Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Subsearch return multiple fields

antb
Path Finder
‎03-27-2020 04:49 AM

Hi and thank you in advance. I've simplified the problem for brevity sake.

I'm trying to return multiple fields by way of using a subsearch. Looking for a recent match in index2 where there was an older event occurring in index1.

An example would be detecting an attack with previous reconnaissance.

index=index1 earliest=-5h@h latest=-1h@h dst=* [search index=index2 earliest=-15m latest=now() dest=* | head 1 | eval index2_time=_time | return dst=dest ]

This works, for finding a match. However, I want to pass up the _time of the more recent event in index2 (index2_time) and that doesn't appear to populate.

0 Karma
Reply

manjunathmeti
Champion
‎03-27-2020 06:10 AM

If index2_time field is part of index1 then check with format. If not, replace field name index2_time with timestamp field in index1 which contains _time values.

index=index1 earliest=-5h@h latest=-1h@h dst=* [ search index=index2 earliest=-15m latest=now() dest=* | head 1 | eval index2_time=_time | fields dest, index2_time | format ]
0 Karma
Reply

antb
Path Finder
‎04-07-2020 01:03 PM

Hi @manjunathmeti, I reviewed this response (and waited to see if there were others) but not sure I understand. index2_time is just the example I'm using where I bubble up the _time - I could have chose any field. The assignment to index2_time isn't being populated as I can only return a single field.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...