Splunk Search

comparing earliest of subsearch and main search

jedatt01
Builder

I need figure out a way to take the earliest of a search and subtract it from the earliest of a subsearch to be used in the subsearch. I've tried using addinfo and doing a delta on the info_min_time, but that causes my overlapping events to disappear. I want to use this result to programatically calculate the difference in seconds between the main search and subsearch to be used in the subsearch. My search below and the places I want to replace with the value in bold

index=summary search_name="Events Counts by Message" earliest=-0d@d latest=now MESSAGE_TEXT="Authentication succeeded" | eval reportkey=strftime(now(), "%Y-%m-%d") | addinfo | eval current=info_min_time | append [search index=summary search_name="Events Counts by Message" earliest=-1d@d latest=-0d@d MESSAGE_TEXT="Authentication succeeded" | addinfo | eval _time=_time+**86400** | eval reportkey=strftime(now()-**86400**, "%Y-%m-%d")] | eval key_text = reportkey + " " + MESSAGE_TEXT | timechart span=1h values(count) AS EventCount by key_text
Tags (2)
0 Karma

acharlieh
Influencer

Let's assume no timewrap command, We could do something like this answer and use gentimes and map to loop over the periods we're interested in:

| gentimes start=-1 end=1 
| eventstats max(starttime) as maxstart 
| eval offset=maxstart-starttime 
| map search="
    search starttimeu::$starttime$ endtimeu::$endtime$ index=summary search_name=\"Events Counts by Message\" MESSAGE_TEXT=\"Authentication succeeded\"
    | eval key_text = strftime($starttime$, \"%Y-%m-%d\") + \" \" + MESSAGE_TEXT
    | timechart span=1h count by key_text 
    | eval _time = _time + $offset$
  "
| stats first(*) as * by _time

You could even adjust the start and end on the gentimes and get more or less easily.

jedatt01
Builder

Do the time stamps have to be connected? How could I modify this to compare today to say the same day last week?

0 Karma

acharlieh
Influencer

Replace the gentimes command with something that generates a result with starttime and endtime set to the timestamps of each start and end that you want to compare. Eventstats and the eval figure out the offset and then run the mapped search for each timerange

0 Karma

jedatt01
Builder

Got it to work using a subsearch with gentime and taking the head 1 and tail 1. See code below.

| gentimes start=$start$ end=$end$ | eventstats max(starttime) as maxstart | eval offset=maxstart-starttime | head 1 | append [| gentimes start=$start$ end=$end$ | eventstats max(starttime) as maxstart | eval offset=maxstart-starttime | tail 1]

0 Karma

acharlieh
Influencer

Are you able to install apps on your instance? If so, are you looking for something like the timewrap command ?

0 Karma

jedatt01
Builder

I've seen timewrap, but from what I understand it does one single search over the entire period then you filter down using the date_wday etc. I'm looking for a higher performance method that does the two or more searches independently.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...