Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

returning multiple fields with multiple values from sub search to main search

kvmanjunath
New Member
‎11-14-2012 09:38 AM

I am trying to create a search where sub-search returns 2 fields. Field 1) list of servers 2) time.

now for example., I get 3 results from the sub-search as host1, host2 and host3 for server field along with that I get 3 time which is host1_time, host2_time and host3_time.

I want to search (host1 from host1_time to host1_time + 8 hours) and (host2 from host2_time to host2_time + 8 hours) and (host3 from host3_time to host3_time + 8 hours) I tried many type of search but it is not working.

Sub-search can return n value for server field and n value for time field. Any help would be appreciated.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-14-2012 10:53 AM

I do this using time modifiers. Basically I use the subsearch to find the events, do some time based calculations, reformat the output to not include the implicit AND, and then the subsearch modifies the main search.

The subsearch returns something like : (host=host1 earliest=host1_time latest=host1_time+8 ) OR (host=host2 earliest=host2_time latest=host2_time+8 )

So your whole search looks like this:

main_search [search index=wherever| stats min(_time) as earliest by host|eval latest=earliest+(8*3600)|format "" "(" "" ")" "OR" ""]

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-15-2012 03:51 AM

Yes, the earliest and latest time modifiers for each host take care of that. As long as main_search is pretty generic ( sourcetype=syslog for example) you should ind what you need.

0 Karma
Reply

kvmanjunath
New Member
‎11-14-2012 10:43 PM

Does it works if sub-search returns n results? for example sub-search returns more than 5 servers and 5 different times for 5 servers.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...