Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use time and field from subsearch as search criteria in main search

nkavouris
Path Finder
‎08-29-2024 01:32 PM

I have a subsearch

[search index="june_analytics_logs_prod" (message=* new_state: Diagnostic, old_state: Home*)|
spath serial output=serial_number|
spath message output=message|
spath model_number output=model|
eval keystone_time=strftime(_time,"%Y-%m-%d %H:%M:%S.%Q")|
eval before=keystone_time-10|
eval after=_time+10|
eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S.%Q")|
table keystone_time, serial_number, message, model, after|


I would like to take the after and serial fields, use these fields to search construct a main  search like

search index="june_analytics_logs_prod" serial=$serial_number$ message=*glow_v:* earliest=$keystone_time$ latest=$after$|

Each event yielded by the subsearch yields a time when the event occured

I want to find events, matching the same serial, with messages containing "glow_v" within 10 seconds after each of the subsearch events

 

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-29-2024 11:44 PM

Hi @nkavouris ,

you can use a subsearch to filter results in the main search passing the fields with the same name and putting attention to pass only the fields to use for filtering, in your case:

  • keystone_time,
  • serial_number,
  • message,
  • after

but not model that isn't used in the main search.

The problem is the message field because you need to use it as a part of the search, ib this case you have to rename it in "query":

search index="june_analytics_logs_prod" 
[[search index="june_analytics_logs_prod" (message=* new_state: Diagnostic, old_state: Home*)
| spath serial output=serial_number
| spath message output=message
| spath model_number output=model
| eval 
     keystone_time=strftime(_time,"%Y-%m-%d %H:%M:%S.%Q"),
     before=keystone_time-10,
     after=_time+10,
     eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S.%Q")
| rename message AS query
| fields keystone_time serial_number query after ]

the renaming of message AS query permits to search in full text search mode.

I didn't use it with other fields, only by itself, but it should run.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-29-2024 01:46 PM

You're asking for trouble. While you might try to use subsearch to return a set of criteria for the main search it is a very unreliable way to do it and you're bound to have unexplained wrong search results especially if searching over larger datasets due to subsearch limitations.

Additionallly there are several problems with your searches.

Both are highly inefficient due to wildcard use at the beginning of search term.

You can't do arithmetics on a string-rendered timestamp.

This is not a right format for earliest/latest (to be safe it's best to just use epoch timestamps for those parameters if calculating them from subsearch).

Your first search contains several separate search terms instead of - as I presume - a single string.

After this overly long introduction - It's probably best done completely differently - for example with streamstats marking subsequent events.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...