Splunk Search
Highlighted

use a subsearch to define earliest and latest for main search

Splunk Employee
Splunk Employee

I want to use a sub search to find events, then use the time as a boundary for the main search.
In my case, I search for ERROR in splunkd, pick the oldest one, and use the timestamp to compare to event in splunkd_access 2 minutes around.

I tried

index=_internal source=*splunkd_access.log* [search earliest=-1d@d index=_internal source=*splunkd.log* ERROR | tail 1 | eval earliest=_time-60 | eval latest=_time+60 | table earliest latest ]

I expect the earliest and latest conditions to be populated with the subsearch, but it fails with :

Error in 'search' command: Unable to parse the search: 'AND' operator is missing a clause on the left hand side.

Highlighted

Re: use a subsearch to define earliest and latest for main search

Splunk Employee
Splunk Employee

Go it working using an exotic format :


index=_internal source=*splunkd_access.log* [search earliest=-1d@d index=_internal source=*splunkd.log* ERROR | tail 1 | eval earliest=_time-60 | eval latest=_time+60 | table earliest latest | format "(" "(" "" ")" "OR" ")" ]

by default the format is defined here :
http://docs.splunk.com/Documentation/Splunk/6.1.1/Search/Changetheformatofsubsearchresults
http://docs.splunk.com/Documentation/Splunk/6.1.1/SearchReference/format

We had to modify it for earliest / latest to remove the AND.

  • from "(" "(" "AND" ")" "OR" ")"
  • to "(" "(" "" ")" "OR" ")"

View solution in original post

Highlighted

Re: use a subsearch to define earliest and latest for main search

Builder

THANK YOU!

0 Karma
Highlighted

Re: use a subsearch to define earliest and latest for main search

Engager

Thank you so much. I was mostly convinced this was a bug, and was losing hair trying to get a time-based search to work.

0 Karma