Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

using transaction in subsearch to define earliest latest in mainsearch

TheEggi98
Path Finder
‎09-02-2021 02:27 AM

I want to use the subsearch to get start and endtime of the newest transaction (here a botsession).

The subsearch alone gives me:
starttime=  09/01/2021:17:28:49
endtime= 09/01/2021:19:42:50

At first i used the subsearch without strftime()
but Splunk said earliest/latest cant parse epochtime and that it wants format %m/%d/%Y:%H:%M:%S

that brings me to my current search where splunk says "Invalid value "starttime" for time term 'earliest'"
When i use the results of the subsearch when running alone it works.

How can i make use of the start-/endtime?
Or is there a better method to limit my mainsearch for the newest botsession?

My Search (not the final search, but i want to work with the events from a specific session):

index="fishingbot"
  [search index=fishingbot
  | transaction startswith="Anmeldung erfolgreich!" endswith="deaktiviert!"
  | eval endtime=strftime((_time+duration), "%m/%d/%Y:%H:%M:%S")
  | eval starttime=strftime(_time, "%m/%d/%Y:%H:%M:%S")
  | top starttime endtime limit=1
  | table starttime endtime]
earliest=starttime latest=endtime

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-02-2021 02:53 AM

Just return properly named fields from your subsearch. So don't do

[[...] | table start end ] earliest=start latest=end

Because it won't work.

Do

[[...] | table start end | rename start as earliest | rename end as latest ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎09-02-2021 02:53 AM

Just return properly named fields from your subsearch. So don't do

[[...] | table start end ] earliest=start latest=end

Because it won't work.

Do

[[...] | table start end | rename start as earliest | rename end as latest ]
0 Karma
Reply
Solved! Jump to solution

TheEggi98
Path Finder
‎09-02-2021 03:01 AM

Thanks! That works.

So with naming the times in the subsearch to earliest/latest splunk will automatically use them as timerange.

Good to know 🙂

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-02-2021 03:15 AM

Yes, the results of the subsearch are directly inserted as parameters for search. I can't find it specified anywhere explicitly but it looks that if the resulting set contains multiple fields, they are added with an implicit AND (like in your case - earliest=something AND latest=something) but if you have multiple rows of the same column, they are added with an implicit OR

index=windows [ index=windows | stats top 2 source | table source ]

Should search for events that have their source field set to one of two most often appearing values.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...