How to pass the time from one query to another que...

Veeru · ‎03-23-2023

Actually I want to pass the time from first query to second and get results out on basis of first query time.
First query
index="A" sourcetype="B" | rex "\d+\-\S+.(?<JobName>\w+)\," | transaction JobName startswith= start endswith=end | table _time _raw
Second Query
index="C" sourcetype="cpu" host="A.local" | eval firsttime=strftime(_time, "%d/%m/%Y %H:%M:%S"), secondtime=strftime(_time, "%d/%m/%Y %H:%M:%S") | where (firsttime >= "26/02/2023 03:03:03") AND (secondtime <= "26/02/2023 04:03:03") | eval Total=(pctSystem+pctUser) | table "firsttime" "host" "secondtime" "Total"
I wanna combine and get the results from first query start and end

gcusello · ‎03-24-2023

Hi @Veeru ,

you need to extract the earliest and latest values from the first search, so try something like this:

index="C" sourcetype="cpu" host="A.local" [ search index="A" sourcetype="B" | rex "\d+\-\S+.(?<JobName>\w+)\," | transaction JobName startswith= start endswith=end | eval earliest=_time, latest=_time+duration | fields earliest latest ]
| eval firsttime=strftime(_time, "%d/%m/%Y %H:%M:%S"), secondtime=strftime(_time, "%d/%m/%Y %H:%M:%S") 
| where (firsttime >= "26/02/2023 03:03:03") AND (secondtime <= "26/02/2023 04:03:03") 
| eval Total=(pctSystem+pctUser) 
| table "firsttime" "host" "secondtime" "Total"

You could also work in avoiding transaction command that's a very slow command.

Ciao.

Giuseppe

How to pass the time from one query to another query?

eval

stats

transaction

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All

Splunk Security Content for Threat Detection & Response, Q1 Roundup