Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using a result from one search in another search

htkhtk
Path Finder
‎09-09-2010 08:56 PM

I am trying to:

  1. Find a date/time of a certain event.
  2. Take that date/time from number 1. and use it to search for events only from that date/time forward.

If the date/time from number 1 was September 1st at 1:45.. Then for number 2, I would only want to get back events from September 1st and forward (forgetting about events before that.)

I need this to be automatic in the searches because the date/time range from number 1 will change based upon different circumstances.

I tried subsearches to no avail.

I am using _time.

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-09-2010 10:22 PM

This should pretty much be it:

sourcetype=outer [ sourcetype=inner item=xxxx | head 1 | rename _time as earliest | fields earliest ]

I use head 1 to ensure just a single result, but if you only get one result some other way, that's fine too.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-09-2010 10:22 PM

This should pretty much be it:

sourcetype=outer [ sourcetype=inner item=xxxx | head 1 | rename _time as earliest | fields earliest ]

I use head 1 to ensure just a single result, but if you only get one result some other way, that's fine too.

0 Karma
Reply
Solved! Jump to solution

dennywebb
Path Finder
‎04-21-2013 12:57 AM

Is there a way to do this same thing... but for multiple results? like if i wanted to show a table full of IP stats/etc limited to the top 10 IP values of only 1 of those stats? or in this example, the earliest 10?

0 Karma
Reply
Solved! Jump to solution

htkhtk
Path Finder
‎09-10-2010 01:04 PM

This is exactly what i wanted.. thanks!

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎09-09-2010 10:33 PM

Yeah if you just want to bound, rather than get exact second, this is better.

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎09-09-2010 09:15 PM

This is pattern is possible using a subsearch, with kind of hack of a special field called 'search', mentioned over here:

http://answers.splunk.com/questions/3471/using-a-subsearch-to-get-the-time-of-an-event

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-09-2010 10:22 PM

you can't use a subsearch with the where command. Please see my other answer.

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎09-09-2010 09:55 PM

In the example given, there would be no where clause. It simply becomes a constraint on the base search, which is vastly more performant. The base search command can and does perform numerical equality testing as well as numerical comparisons.

0 Karma
Reply
Solved! Jump to solution

htkhtk
Path Finder
‎09-09-2010 09:29 PM

I have gotten that far but when I try to do the where _time > [that sub search here].. It doesn't work or sometimes i get an error that says the values aren't compatible

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...