I need figure out a way to take the earliest of a search and subtract it from the earliest of a subsearch to be used in the subsearch. I've tried using addinfo and doing a delta on the info_min_time, but that causes my overlapping events to disappear. I want to use this result to programatically calculate the difference in seconds between the main search and subsearch to be used in the subsearch. My search below and the places I want to replace with the value in bold
index=summary search_name="Events Counts by Message" earliest=-0d@d latest=now MESSAGE_TEXT="Authentication succeeded" | eval reportkey=strftime(now(), "%Y-%m-%d") | addinfo | eval current=info_min_time | append [search index=summary search_name="Events Counts by Message" earliest=-1d@d latest=-0d@d MESSAGE_TEXT="Authentication succeeded" | addinfo | eval _time=_time+**86400** | eval reportkey=strftime(now()-**86400**, "%Y-%m-%d")] | eval key_text = reportkey + " " + MESSAGE_TEXT | timechart span=1h values(count) AS EventCount by key_text
Let's assume no timewrap command, We could do something like this answer and use
map to loop over the periods we're interested in:
| gentimes start=-1 end=1 | eventstats max(starttime) as maxstart | eval offset=maxstart-starttime | map search=" search starttimeu::$starttime$ endtimeu::$endtime$ index=summary search_name=\"Events Counts by Message\" MESSAGE_TEXT=\"Authentication succeeded\" | eval key_text = strftime($starttime$, \"%Y-%m-%d\") + \" \" + MESSAGE_TEXT | timechart span=1h count by key_text | eval _time = _time + $offset$ " | stats first(*) as * by _time
You could even adjust the start and end on the gentimes and get more or less easily.
Replace the gentimes command with something that generates a result with starttime and endtime set to the timestamps of each start and end that you want to compare. Eventstats and the eval figure out the offset and then run the mapped search for each timerange
Got it to work using a subsearch with gentime and taking the head 1 and tail 1. See code below.
| gentimes start=$start$ end=$end$ | eventstats max(starttime) as maxstart | eval offset=maxstart-starttime | head 1 | append [| gentimes start=$start$ end=$end$ | eventstats max(starttime) as maxstart | eval offset=maxstart-starttime | tail 1]
I've seen timewrap, but from what I understand it does one single search over the entire period then you filter down using the date_wday etc. I'm looking for a higher performance method that does the two or more searches independently.