×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
atljoer
Loves-to-Learn
Member since: ‎01-14-2021
‎01-19-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-14-2021
View All

Re: Assistance with Map using Map to perform a sea...

by in Splunk Search
‎01-19-2021 12:25 PM
‎01-19-2021 12:25 PM
Hi thank you to4kawa, maybe I should focus on the goal: Run 1 query that returns  Userid Auth Time Joe  1/19 6:30 AM Bob 1/19 7:30 AM Hank 1/19 9:45 AM Joe 1/19 3:30 PM   For each row in that resultset run a subsequent query against a 'network' index which is basically: Find the first time 'Joe' shows up in the network log starting at 6:30 AM:  6:31:22 Find the first time 'Bob' shows up in the network log starting at 7:30 AM: 7:35:12 Find the first time 'Hank' shows up in the network log starting at 9:45 AM: 9:45:46 Find the first time 'Joe' shows up in the network log start 3:30 PM: 3:31:05  Then for each row subtract the network log timestamp from the Auth timestamp so each row returns: Timestamp User (Session) TimefromAuthtoNetwork  1/19 6:30 AM Joe 1:22 1/19 7:30 AM Bob 5:12 1/19 9:45 AM Hank 0:46 1/19 3:30 PM Joe 1:05   Does that make sense?  ... View more

Assistance with Map using Map to perform a search ...

by in Splunk Search
‎01-14-2021 08:13 AM
‎01-14-2021 08:13 AM
TLDR:  Goal is to perform an initial search which returns table of time user authenticated, then for each row in the table performs a subsequent search to find each time they established a connection to server.  The Authentication data and Network data are 100% separate.    My initial search is index=authentication objectId="thingIcareabout"  | eval earliest1=timestamp/1000 | eval earliestPlus10m=earliest1+600 | table username, earliest1, earliestPlus10m This successfully runs and returns: username earliest1 earliestPlus10m Joe 1610632992 1610630191 Bob 1610629591 1610633592   Reason why I add earliestPlus10m is so I can run a subsequent search against the network index and limit the amount of results to parse.  If I try the map command index=authentication objectId="thingIcareabout"  | eval earliest1=timestamp/1000 | eval earliestPlus10m=earliest1+600 | table username, earliest1, earliestPlus10m | map search="index=network connected $username$ earliest=$earliest1$ latest=$earliestPlus10m$ | stats earliest(_time)"  I get my 2 events, but no results in Statistics from map. I run job inspector  say the map returns no results.  I literally copy the query from inspector and run it in a new search and it does return exactly what I want.  For instance index=network connected Joe earliest=1610632992 latest=1610632992 | stats earliest(_time) does return correctly.  Confused here what I may be doing wrong...   My ultimate goal is userName earliest1 subsearch(time) calculated field (subsearchtime-earliest10 Joe 1610632992 1610633001 9 Bob 1610629591 1610629598 7 ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-19-2021 02:08 PM