Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is there weird behavior with Splunk Time Range?

zacksoft_wf
Contributor
‎03-14-2022 03:57 AM

I see a strange behaviour in Splunk.

There is this SPL, when ran between 3/13/2022 6:00 AM to 3/14/2011 6:00 AM time range shows some events at 3/13/2022 - 7:00 AM (Between 7-8 AM). 

But when I re-run the same SPL between 3/13/2022 6:00 AM to 3/13/2011 8:00 AM , hoping to see the same set of events, But I see ZERO events !!   

This is very strange !! Am I missing something simple  here..? Why this weird behaviour ?

Additional Observation : 
When I change the time range between 2/12 to 3/13 - the events shows, 
But when I keep the same date 3/13 7 AM to 3/13  10 AM - It doesn't show.

It works when the time range is more that 24 hours

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-14-2022 05:12 AM

So, the subsearch restricts the outer search to ip addresses found in the subsearch during the timeframe.

For example,

Indexweb_shortphutan
timeipip
06:301.1.1.1 
07:302.2.2.2 
08:303.3.3.31.1.1.1
09:30 2.2.2.2

if timeframe is restricted to 6am to 8am, ip addresses 1.1.1.1 and 2.2.2.2 are not found in phutan, and are therefore not searched for in web_short, but when the timeframe is wider to at least 9:30, the ip addresses are found and therefore the 6:30 and 7:30 events are found

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-14-2022 04:51 AM

It might depend on the actual SPL you are using - please can you provide more detail?

0 Karma
Reply
Solved! Jump to solution

zacksoft_wf
Contributor
‎03-14-2022 04:58 AM

index=web_short NOT uco_id=UCOAF NOT uco_id=HRX [ search index=phutan uco_id=PALTO source_zone=isp transport=tcp sourcetype="pan:threat" (source_location="Pacific" OR src_location="Stars Fed") (dest_ip!="179.45.143.47" threat_name!="TVS Vulneribility") severity!="informational" severity!="low" | eval source_ip_type=case( cidrmatch("184.31.77.0/24",source_ip),"UCO_src", true(),"unknown") | where source_ip_type="unknown" | stats count by source_ip | table source_ip | rename source_ip as search | format]


The timestamp of the resulting events are between 7 Am to 8 Am 3/13/2022.
But I don't see the events when I search with in the time rage 3/13/2022 6 Am to 10 Am
I only see when I change the date time range between 3/13 to 3/14 OR 3/12 to 3/13 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-14-2022 05:12 AM

So, the subsearch restricts the outer search to ip addresses found in the subsearch during the timeframe.

For example,

Indexweb_shortphutan
timeipip
06:301.1.1.1 
07:302.2.2.2 
08:303.3.3.31.1.1.1
09:30 2.2.2.2

if timeframe is restricted to 6am to 8am, ip addresses 1.1.1.1 and 2.2.2.2 are not found in phutan, and are therefore not searched for in web_short, but when the timeframe is wider to at least 9:30, the ip addresses are found and therefore the 6:30 and 7:30 events are found

Reply
Solved! Jump to solution

zacksoft_wf
Contributor
‎03-14-2022 05:50 AM

That was brilliant . Thank you @ITWhisperer  for such lucid explanation.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...