Hi all,
I have a requirement to create a dashboard view with following search:
<searchString>
index="my_index" publicip="'$ip$'" xxx earliest=T1 latest=T11=T1+3d"
| append
[search index="my_index" publicip="'$ip$'" yyy earliest=T01=T0-3d latest=T0]
| transaction framed_ip_address
| table username, privateip, publicip
</searchString>
Time in Subsearch:
T1=T0-3days
T01=earliest in time picker selection (from user)
Time in main search:
T1=latest in time picker selection (from user)
T11=T1+3 days
How do i figure out this request?
using Splunk 6.1.1.
Thank you
Antonio
Try this
index="my_index" publicip="'$ip$'" xxx
[|stats count | addinfo |eval earliest=info_max_time | eval latest=relative_time(info_max_time,"+3d")
|table earliest, latest |format "" "" "" "" "" "" ]
| append
[search index="my_index" publicip="'$ip$'" yyy
[|stats count | addinfo |eval latest=info_min_time | eval earliest=relative_time(info_max_time,"-3d")
|table earliest, latest |format "" "" "" "" "" ""]]
| transaction framed_ip_address
| table username, privateip, publicip
Try the updated answer.
You can get rid of the append
entirely like this:
index="my_index" publicip="'$ip$'" [compute earliest=T0-3d and latest=T1+3d]
(
( xxx [compute earliest=T1 and latest=T1+3d] )
OR
( yyy [compute earliest=T0-3d and latest=T0] )
)
| transaction, table, whatever
Note, I'm not sure if I've used the correct T0/T1/etc values, adapt as needed.
Note also the need to calculate the overall envelope of time ranges to avoid Splunk searching over all time. Having only the specific time ranges for each OR
branch isn't enough.
It doesn't work.
First error on info_max_time
Second error on append: I cannot use two subsearches after append command.
Any advice is welcome
Thank you
AF
Hi, example with real time specification:
index="index1" sourcetype="sourcetype1" publicip="'x.x.x.x'" freed earliest="1/20/2014:12:48:00" latest="1/23/2014:12:48:00"
| append [search index="index1" sourcetype="sourcetype1" publicip="'x.x.x.x'" assigned earliest="1/17/2014:11:48:00" latest="01/20/2014:11:48:00"]
| transaction framed_ip_address, publicportrange startswith=assigned endswith=freed
| search index="index1" sourcetype="sourcetype1"
| table username, acct_session_id, acct_unique_id, acct_start_time, acct_stop_time
I tried:
[search index=index1
| addinfo
| head 1
| eval earliest=$field1.earliest$
| eval latest=$field1.earliest$+259200
| fields earliest,latest
| format "(" "(" "" ")" "OR" ")" ]
index="index1" sourcetype="sourcetype1" publicip="'$ip$'" freed
| append
[ [search index=index1
| addinfo
| head 1
| eval earliest=$field1.earliest$-259200
|eval latest=$field1.latest$
| fields earliest,latest
| format "(" "(" "" ")" "OR" ")" ]
search index="index1" sourcetype="sourcetype1" publicip="'$ip$'" assigned
]
| transaction framed_ip_address, publicportrange startswith=assigned endswith=freed
| search index="index1" sourcetype="sourcetype1"
| table username, acct_session_id, acct_unique_id, acct_start_time, acct_stop_time
with last search I got error on second "head 1".
Thank you
Antonio
I think your T0, T1, T01, T11 specifications are a little messed up... or I'm not picking them up properly. Provide an example with actual dates for each to clarify.
Additionally, describe what your actual use case is - maybe there's a less convoluted solution.