Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

using transaction in subsearch to define earliest latest in mainsearch

TheEggi98
Path Finder
‎09-02-2021 02:27 AM

I want to use the subsearch to get start and endtime of the newest transaction (here a botsession).

The subsearch alone gives me:
starttime=  09/01/2021:17:28:49
endtime= 09/01/2021:19:42:50

At first i used the subsearch without strftime()
but Splunk said earliest/latest cant parse epochtime and that it wants format %m/%d/%Y:%H:%M:%S

that brings me to my current search where splunk says "Invalid value "starttime" for time term 'earliest'"
When i use the results of the subsearch when running alone it works.

How can i make use of the start-/endtime?
Or is there a better method to limit my mainsearch for the newest botsession?

My Search (not the final search, but i want to work with the events from a specific session):

index="fishingbot"
  [search index=fishingbot
  | transaction startswith="Anmeldung erfolgreich!" endswith="deaktiviert!"
  | eval endtime=strftime((_time+duration), "%m/%d/%Y:%H:%M:%S")
  | eval starttime=strftime(_time, "%m/%d/%Y:%H:%M:%S")
  | top starttime endtime limit=1
  | table starttime endtime]
earliest=starttime latest=endtime

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-02-2021 02:53 AM

Just return properly named fields from your subsearch. So don't do

[[...] | table start end ] earliest=start latest=end

Because it won't work.

Do

[[...] | table start end | rename start as earliest | rename end as latest ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-02-2021 02:53 AM

Just return properly named fields from your subsearch. So don't do

[[...] | table start end ] earliest=start latest=end

Because it won't work.

Do

[[...] | table start end | rename start as earliest | rename end as latest ]
0 Karma
Reply
Solved! Jump to solution

TheEggi98
Path Finder
‎09-02-2021 03:01 AM

Thanks! That works.

So with naming the times in the subsearch to earliest/latest splunk will automatically use them as timerange.

Good to know 🙂

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-02-2021 03:15 AM

Yes, the results of the subsearch are directly inserted as parameters for search. I can't find it specified anywhere explicitly but it looks that if the resulting set contains multiple fields, they are added with an implicit AND (like in your case - earliest=something AND latest=something) but if you have multiple rows of the same column, they are added with an implicit OR

index=windows [ index=windows | stats top 2 source | table source ]

Should search for events that have their source field set to one of two most often appearing values.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top