Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

using transaction in subsearch to define earliest latest in mainsearch

TheEggi98
Path Finder
‎09-02-2021 02:27 AM

I want to use the subsearch to get start and endtime of the newest transaction (here a botsession).

The subsearch alone gives me:
starttime=  09/01/2021:17:28:49
endtime= 09/01/2021:19:42:50

At first i used the subsearch without strftime()
but Splunk said earliest/latest cant parse epochtime and that it wants format %m/%d/%Y:%H:%M:%S

that brings me to my current search where splunk says "Invalid value "starttime" for time term 'earliest'"
When i use the results of the subsearch when running alone it works.

How can i make use of the start-/endtime?
Or is there a better method to limit my mainsearch for the newest botsession?

My Search (not the final search, but i want to work with the events from a specific session):

index="fishingbot"
  [search index=fishingbot
  | transaction startswith="Anmeldung erfolgreich!" endswith="deaktiviert!"
  | eval endtime=strftime((_time+duration), "%m/%d/%Y:%H:%M:%S")
  | eval starttime=strftime(_time, "%m/%d/%Y:%H:%M:%S")
  | top starttime endtime limit=1
  | table starttime endtime]
earliest=starttime latest=endtime

Labels (3)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-02-2021 02:53 AM

Just return properly named fields from your subsearch. So don't do

[[...] | table start end ] earliest=start latest=end

Because it won't work.

Do

[[...] | table start end | rename start as earliest | rename end as latest ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-02-2021 02:53 AM

Just return properly named fields from your subsearch. So don't do

[[...] | table start end ] earliest=start latest=end

Because it won't work.

Do

[[...] | table start end | rename start as earliest | rename end as latest ]
0 Karma
Reply
Solved! Jump to solution

TheEggi98
Path Finder
‎09-02-2021 03:01 AM

Thanks! That works.

So with naming the times in the subsearch to earliest/latest splunk will automatically use them as timerange.

Good to know 🙂

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-02-2021 03:15 AM

Yes, the results of the subsearch are directly inserted as parameters for search. I can't find it specified anywhere explicitly but it looks that if the resulting set contains multiple fields, they are added with an implicit AND (like in your case - earliest=something AND latest=something) but if you have multiple rows of the same column, they are added with an implicit OR

index=windows [ index=windows | stats top 2 source | table source ]

Should search for events that have their source field set to one of two most often appearing values.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...