Splunk Search

[Version 8.2.4] No longer able to use timestamps from return command in subsearch

steen
Explorer

Hi,

In the past (Splunk Enterprise v 7.x.x) I used the below search to run a report every few min. There were so many results that due to limitations I had to run them 1 day spans. I needed to do this for 6 months of data so I automated the process with a repeating report...

I would run this search to create the first entries which is necessary of the next step

index="app" sourcetype="api" type=log*
| eval time=_time
| sort time desc
| table time type version
| outputlookup append=false My_file.csv

Then I created a report , set it to run every 1 or 2 minutes with the below search. It basically looks at the earliest date in My_file.csv file, then adjust the earliest and latest times for the main search.

index="app" sourcetype="api" type=log*
[| inputlookup My_file.csv
| stats min(time) as mi
| eval latest=(mi-0.001)
| eval earliest=(latest-86400)
| return earliest latest]
| eval time=_time
| table time type version
| sort time desc
| outputlookup append=true My_file.csv

It just runs the search with the timeframe in my Splunk time picker. It doesn't seem to take the earliest and latest from my 'return' command in the subsearch.


If I try running the subsearch only, then I do get a result...
| inputlookup My_file.csv
| stats min(time) as mi
| eval latest=(mi-0.001)
| eval earliest=(latest-86400)
| return earliest latest

Give me the below results, so I don't get why the value isn't used in the top search

earliest="1642374033.873" latest="1642719633.873"

 

It works though if I do a map, but that's not a viable solution due to the high volumes...

| inputlookup My_file.csv
| stats min(time) as mi
| eval latest=(mi-0.001)
| eval earliest=(latest-86400)
| table earliest latest
| map maxsearches=10 search="search index="app" sourcetype="api" type=log* earliest="$earliest$" latest="$latest$""

 

What's frustrating is that this used to work and now I need to do the same exercise and I can't use it again.

Does anybody have an idea why it's not working? Have you experience similar issues?

Thanks

Labels (1)
0 Karma
1 Solution

steen
Explorer

Hi @diogofgm,

I noticed you didn't use the parentheses here:

| eval latest = mi-0.001  
| eval earliest = latest-3600 

So I tried removing them from my search and it works!

 

index="app" sourcetype="api" type=log*
[| inputlookup My_file.csv
| stats min(time) as mi
| eval latest=mi-0.001
| eval earliest=latest-86400
| return earliest latest]
| eval time=_time
| table time type version
| sort time desc
| outputlookup append=true My_file.csv

 

 

I don't understand how the parentheses causes it to fail. Furthermore, the return works fine with parentheses when I use it as a search on it's own (not as subsearch). And it used to work fine on our older version of Splunk.

Oh well...thanks for your input, much appreciated 😉

 

PS: How do I edit my post, I looked everywhere, but don't seem to have the option.

 

 

View solution in original post

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Hi steen,

I don't think that's a version problem. I made small test in 8.2.4 with this:

index=_internal 
    [| makeresults 
    | eval mi=strptime("2022-01-21 10:00","%Y-%m-%d %H:%M") 
    | eval latest = mi-0.001  
    | eval earliest = latest-3600 
    | return latest earliest]

I can get the results from the expected hour.

Check the job inspector for clues. Look for the remoteSearch to see what Splunk is sending to the indexers.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

steen
Explorer

Additional info:
If I take the values from the return command in the subsearch and replace it into a makeresults command, then it works


index="app" sourcetype="api" type=log* [| makeresults | eval earliest="1642304033.873" | eval latest="1642719633.873" | return earliest latest]

I don't get why it works here but not with the inputlook up, it's pretty much the same thing. no?

0 Karma

diogofgm
SplunkTrust
SplunkTrust

I would edit the main post with those details instead of posting a reply 

------------
Hope I was able to help you. If so, some karma would be appreciated.

steen
Explorer

Hi @diogofgm,

I noticed you didn't use the parentheses here:

| eval latest = mi-0.001  
| eval earliest = latest-3600 

So I tried removing them from my search and it works!

 

index="app" sourcetype="api" type=log*
[| inputlookup My_file.csv
| stats min(time) as mi
| eval latest=mi-0.001
| eval earliest=latest-86400
| return earliest latest]
| eval time=_time
| table time type version
| sort time desc
| outputlookup append=true My_file.csv

 

 

I don't understand how the parentheses causes it to fail. Furthermore, the return works fine with parentheses when I use it as a search on it's own (not as subsearch). And it used to work fine on our older version of Splunk.

Oh well...thanks for your input, much appreciated 😉

 

PS: How do I edit my post, I looked everywhere, but don't seem to have the option.

 

 

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Glad I pointed you in right direction.

As for the edit, there a down arrow on the right side just above the post title where you have multiple options regarding the post and edit is just one of them.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...