Splunk Search

Using subsearch to parameterize outer search.

dinh
Path Finder

I have a subsearch that calculates a field call 'MyLatestTime' and I want to use that to set the latest field in my outer search. How would I do that?

For example:

"outer search" earliest="01/19/2010:00:00:00" latest=MyLatestTime ["inner search" | eval MyLatestTime = _time ]

I hope that made sense.

Thanks.

Tags (2)
2 Solutions

hulahoop
Splunk Employee
Splunk Employee

Hi Dinh,

To pass a field from the inner search to the outer search you must use the 'fields' command. Otherwise, Splunk will pass the results of the inner search as a set of events. Also, in the outer search, the assignment latest=MyLatestTime can be done in the inner search instead. Try this:

... earliest="01/19/2010:00:00:00" [search ... | eval MyLatestTime=_time | fields + MyLatestTime | rename MyLatestTime as latest]

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

What Vi Ly replied is right. It may also help you to use the "format" command. When a subsearch is used as an argument to a "search" command, its output is implicitly passed through "format" (unless it has already been explicitly sent through format) to convert it into a single string value (called either "search" or "query"). That string is then expanded into arguments to the original search command.

So for example:

| stats count | eval latest="-18d" | fields + latest | format

yields a string:

( ( lastest="-18d" ) )

or something like that. That string would then be made part of your original search command in place of the subsearch. The "format" command take take an entire table and format it, so if your subsearch returned the table:

field1   field2   field3
------   ------   ------
red          14   cow
black         7   wolf

"format" would return:

( ( field1=red AND field2=14 AND field3=cow ) OR ( field1=black AND field2=7 AND field3=cow ) )

by default. If used in a subsearch in a "search" command, then, that query would be part of your search. Note that arguments to "format" can change the "AND", "OR" and parentheses to other characters (e.g., it is sometimes useful to generate a string like the above, but where "AND" is replaced with "OR").

View solution in original post

Karan_Jindal
New Member

Hi,
I have a similar question. My inner search returns the date and time(for eg 06-22-2015-23). I want to use this time in my outer search as earliest time = "06-22-2015-23" and latest should be one hour after that(06-23-2015-00) i.e one hour post the earliest time.

For eg.
"outer search" [search ... | eval MyLatestTime=_time | fields + MyLatestTime | rename MyLatestTime as earliest] latest= earliest+1

Thanks in advance

0 Karma

vbumgarn
Path Finder

This doesn't work for me. Here's what I'm trying to do:

sourcetype="ST" [search sourcetype="ST" foo=bar | stats max(_time) as latest min(_time) as earliest by host | eval latest=latest+.001 | fields + earliest latest host]

I want this to produce: sourcetype="ST" latest=1234567.500 earliest=1234566.799 host=host1

I believe the search that is actually being created is: sourcetype="ST" ( ( latest=1234567.500 AND earliest=1234566.799 AND host=host1 ) )

Running that search produces the error "Error in 'UnifiedSearch': Unable to parse the 'Missing LHS for AND' search.".

Removing the parentheses, it works as expected.

Anybody know a way to add the arguments from the subsearch onto the search without the parentheses?

EDIT...

Thank you, Dr. Wooden, that works a treat. I kept going and made a workflow action that can be used generically, and should actually be fast, since it uses the results of the active search instead of rerunning the initial search. It should also work for complicated searches, since it's just pulling the results off disk.

* [loadjob $@sid$ events=t | stats max(_time) as latest min(_time) as earliest by host sourcetype | eval latest=latest+.001 | format "(" "(" "" ")" "OR" ")" ] | sort _time

Here's the full config entry:

[show_context]
display_location = event_menu
fields = *
label = Show Context
search.preserve_timerange = 1
search.search_string = * [loadjob $@sid$ events=t | stats max(_time) as latest min(_time) as earliest by host sourcetype | eval latest=latest+.001 | format "(" "(" "" ")" "OR" ")" ] | sort _time
search.target = blank
type = search

The only downer is that it doesn't build a reusable search, but it should work well for interactive use.

bwooden
Splunk Employee
Splunk Employee

I removed the outer parenthesis as well and it appeared to work in my lab. Does this work in your environment: sourcetype="ST" [search sourcetype="ST" foo=bar | stats max(_time) as latest min(_time) as earliest by host | eval latest=latest+.001 | fields + earliest latest host | format "" "" "AND" "" "OR" ""]

0 Karma

bwooden
Splunk Employee
Splunk Employee

We can get rid of the extra parenthesis like this (but it doesn't appear to fix the reported error): sourcetype="ST" [search sourcetype="ST" foo=bar | stats max(_time) as latest min(_time) as earliest by host | eval latest=latest+.001 | fields + earliest latest host | format "" "(" "AND" ")" "OR" ""]

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

What Vi Ly replied is right. It may also help you to use the "format" command. When a subsearch is used as an argument to a "search" command, its output is implicitly passed through "format" (unless it has already been explicitly sent through format) to convert it into a single string value (called either "search" or "query"). That string is then expanded into arguments to the original search command.

So for example:

| stats count | eval latest="-18d" | fields + latest | format

yields a string:

( ( lastest="-18d" ) )

or something like that. That string would then be made part of your original search command in place of the subsearch. The "format" command take take an entire table and format it, so if your subsearch returned the table:

field1   field2   field3
------   ------   ------
red          14   cow
black         7   wolf

"format" would return:

( ( field1=red AND field2=14 AND field3=cow ) OR ( field1=black AND field2=7 AND field3=cow ) )

by default. If used in a subsearch in a "search" command, then, that query would be part of your search. Note that arguments to "format" can change the "AND", "OR" and parentheses to other characters (e.g., it is sometimes useful to generate a string like the above, but where "AND" is replaced with "OR").

hulahoop
Splunk Employee
Splunk Employee

Hi Dinh,

To pass a field from the inner search to the outer search you must use the 'fields' command. Otherwise, Splunk will pass the results of the inner search as a set of events. Also, in the outer search, the assignment latest=MyLatestTime can be done in the inner search instead. Try this:

... earliest="01/19/2010:00:00:00" [search ... | eval MyLatestTime=_time | fields + MyLatestTime | rename MyLatestTime as latest]

carasso
Splunk Employee
Splunk Employee

You're running your search over all results when you only want one, so you should use 'head'. Even easier, use the "return" command, which does the head, fields, rename in one:

... earliest="01/19/2010:00:00:00" [search ... | return latest=_time ]

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...