Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use time and field from subsearch as search criteria in main search

nkavouris
Path Finder
‎08-29-2024 01:32 PM

I have a subsearch

[search index="june_analytics_logs_prod" (message=* new_state: Diagnostic, old_state: Home*)|
spath serial output=serial_number|
spath message output=message|
spath model_number output=model|
eval keystone_time=strftime(_time,"%Y-%m-%d %H:%M:%S.%Q")|
eval before=keystone_time-10|
eval after=_time+10|
eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S.%Q")|
table keystone_time, serial_number, message, model, after|


I would like to take the after and serial fields, use these fields to search construct a main  search like

search index="june_analytics_logs_prod" serial=$serial_number$ message=*glow_v:* earliest=$keystone_time$ latest=$after$|

Each event yielded by the subsearch yields a time when the event occured

I want to find events, matching the same serial, with messages containing "glow_v" within 10 seconds after each of the subsearch events

 

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-29-2024 11:44 PM

Hi @nkavouris ,

you can use a subsearch to filter results in the main search passing the fields with the same name and putting attention to pass only the fields to use for filtering, in your case:

  • keystone_time,
  • serial_number,
  • message,
  • after

but not model that isn't used in the main search.

The problem is the message field because you need to use it as a part of the search, ib this case you have to rename it in "query":

search index="june_analytics_logs_prod" 
[[search index="june_analytics_logs_prod" (message=* new_state: Diagnostic, old_state: Home*)
| spath serial output=serial_number
| spath message output=message
| spath model_number output=model
| eval 
     keystone_time=strftime(_time,"%Y-%m-%d %H:%M:%S.%Q"),
     before=keystone_time-10,
     after=_time+10,
     eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S.%Q")
| rename message AS query
| fields keystone_time serial_number query after ]

the renaming of message AS query permits to search in full text search mode.

I didn't use it with other fields, only by itself, but it should run.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-29-2024 01:46 PM

You're asking for trouble. While you might try to use subsearch to return a set of criteria for the main search it is a very unreliable way to do it and you're bound to have unexplained wrong search results especially if searching over larger datasets due to subsearch limitations.

Additionallly there are several problems with your searches.

Both are highly inefficient due to wildcard use at the beginning of search term.

You can't do arithmetics on a string-rendered timestamp.

This is not a right format for earliest/latest (to be safe it's best to just use epoch timestamps for those parameters if calculating them from subsearch).

Your first search contains several separate search terms instead of - as I presume - a single string.

After this overly long introduction - It's probably best done completely differently - for example with streamstats marking subsequent events.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...