Splunk Search

comparing earliest of subsearch and main search

Builder

I need figure out a way to take the earliest of a search and subtract it from the earliest of a subsearch to be used in the subsearch. I've tried using addinfo and doing a delta on the info_min_time, but that causes my overlapping events to disappear. I want to use this result to programatically calculate the difference in seconds between the main search and subsearch to be used in the subsearch. My search below and the places I want to replace with the value in bold

index=summary search_name="Events Counts by Message" earliest=-0d@d latest=now MESSAGE_TEXT="Authentication succeeded" | eval reportkey=strftime(now(), "%Y-%m-%d") | addinfo | eval current=info_min_time | append [search index=summary search_name="Events Counts by Message" earliest=-1d@d latest=-0d@d MESSAGE_TEXT="Authentication succeeded" | addinfo | eval _time=_time+**86400** | eval reportkey=strftime(now()-**86400**, "%Y-%m-%d")] | eval key_text = reportkey + " " + MESSAGE_TEXT | timechart span=1h values(count) AS EventCount by key_text
Tags (2)
0 Karma

Influencer

Let's assume no timewrap command, We could do something like this answer and use gentimes and map to loop over the periods we're interested in:

| gentimes start=-1 end=1 
| eventstats max(starttime) as maxstart 
| eval offset=maxstart-starttime 
| map search="
    search starttimeu::$starttime$ endtimeu::$endtime$ index=summary search_name=\"Events Counts by Message\" MESSAGE_TEXT=\"Authentication succeeded\"
    | eval key_text = strftime($starttime$, \"%Y-%m-%d\") + \" \" + MESSAGE_TEXT
    | timechart span=1h count by key_text 
    | eval _time = _time + $offset$
  "
| stats first(*) as * by _time

You could even adjust the start and end on the gentimes and get more or less easily.

Builder

Do the time stamps have to be connected? How could I modify this to compare today to say the same day last week?

0 Karma

Influencer

Replace the gentimes command with something that generates a result with starttime and endtime set to the timestamps of each start and end that you want to compare. Eventstats and the eval figure out the offset and then run the mapped search for each timerange

0 Karma

Builder

Got it to work using a subsearch with gentime and taking the head 1 and tail 1. See code below.

| gentimes start=$start$ end=$end$ | eventstats max(starttime) as maxstart | eval offset=maxstart-starttime | head 1 | append [| gentimes start=$start$ end=$end$ | eventstats max(starttime) as maxstart | eval offset=maxstart-starttime | tail 1]

0 Karma

Influencer

Are you able to install apps on your instance? If so, are you looking for something like the timewrap command ?

0 Karma

Builder

I've seen timewrap, but from what I understand it does one single search over the entire period then you filter down using the date_wday etc. I'm looking for a higher performance method that does the two or more searches independently.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!