Hi,
In the past (Splunk Enterprise v 7.x.x) I used the below search to run a report every few min. There were so many results that due to limitations I had to run them 1 day spans. I needed to do this for 6 months of data so I automated the process with a repeating report...
I would run this search to create the first entries which is necessary of the next step
index="app" sourcetype="api" type=log*
| eval time=_time
| sort time desc
| table time type version
| outputlookup append=false My_file.csv
Then I created a report , set it to run every 1 or 2 minutes with the below search. It basically looks at the earliest date in My_file.csv file, then adjust the earliest and latest times for the main search.
index="app" sourcetype="api" type=log*
[| inputlookup My_file.csv
| stats min(time) as mi
| eval latest=(mi-0.001)
| eval earliest=(latest-86400)
| return earliest latest]
| eval time=_time
| table time type version
| sort time desc
| outputlookup append=true My_file.csv
It just runs the search with the timeframe in my Splunk time picker. It doesn't seem to take the earliest and latest from my 'return' command in the subsearch.
If I try running the subsearch only, then I do get a result...
| inputlookup My_file.csv
| stats min(time) as mi
| eval latest=(mi-0.001)
| eval earliest=(latest-86400)
| return earliest latest
Give me the below results, so I don't get why the value isn't used in the top search
earliest="1642374033.873" latest="1642719633.873"
It works though if I do a map, but that's not a viable solution due to the high volumes...
| inputlookup My_file.csv
| stats min(time) as mi
| eval latest=(mi-0.001)
| eval earliest=(latest-86400)
| table earliest latest
| map maxsearches=10 search="search index="app" sourcetype="api" type=log* earliest="$earliest$" latest="$latest$""
What's frustrating is that this used to work and now I need to do the same exercise and I can't use it again.
Does anybody have an idea why it's not working? Have you experience similar issues?
Thanks
Hi @diogofgm,
I noticed you didn't use the parentheses here:
| eval latest = mi-0.001
| eval earliest = latest-3600
So I tried removing them from my search and it works!
index="app" sourcetype="api" type=log*
[| inputlookup My_file.csv
| stats min(time) as mi
| eval latest=mi-0.001
| eval earliest=latest-86400
| return earliest latest]
| eval time=_time
| table time type version
| sort time desc
| outputlookup append=true My_file.csv
I don't understand how the parentheses causes it to fail. Furthermore, the return works fine with parentheses when I use it as a search on it's own (not as subsearch). And it used to work fine on our older version of Splunk.
Oh well...thanks for your input, much appreciated 😉
PS: How do I edit my post, I looked everywhere, but don't seem to have the option.
Hi steen,
I don't think that's a version problem. I made small test in 8.2.4 with this:
index=_internal
[| makeresults
| eval mi=strptime("2022-01-21 10:00","%Y-%m-%d %H:%M")
| eval latest = mi-0.001
| eval earliest = latest-3600
| return latest earliest]
I can get the results from the expected hour.
Check the job inspector for clues. Look for the remoteSearch to see what Splunk is sending to the indexers.
Additional info:
If I take the values from the return command in the subsearch and replace it into a makeresults command, then it works
index="app" sourcetype="api" type=log* [| makeresults | eval earliest="1642304033.873" | eval latest="1642719633.873" | return earliest latest]
I don't get why it works here but not with the inputlook up, it's pretty much the same thing. no?
I would edit the main post with those details instead of posting a reply
Hi @diogofgm,
I noticed you didn't use the parentheses here:
| eval latest = mi-0.001
| eval earliest = latest-3600
So I tried removing them from my search and it works!
index="app" sourcetype="api" type=log*
[| inputlookup My_file.csv
| stats min(time) as mi
| eval latest=mi-0.001
| eval earliest=latest-86400
| return earliest latest]
| eval time=_time
| table time type version
| sort time desc
| outputlookup append=true My_file.csv
I don't understand how the parentheses causes it to fail. Furthermore, the return works fine with parentheses when I use it as a search on it's own (not as subsearch). And it used to work fine on our older version of Splunk.
Oh well...thanks for your input, much appreciated 😉
PS: How do I edit my post, I looked everywhere, but don't seem to have the option.
Glad I pointed you in right direction.
As for the edit, there a down arrow on the right side just above the post title where you have multiple options regarding the post and edit is just one of them.