Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search help - need sub search to return time and host value for new search

Jaci
Splunk Employee
Splunk Employee
‎06-02-2010 03:19 PM

The first search (1) will return host values and time values. Need to have those values used in another search (2)

  1. search earliest=5/2/2010:18:00:00 latest=5/3/2010:18:00:00 | bucket _time span=10s | stats count(domain) as domain_count by _time host | autoregress domain_count p=1-5 | where domain_count/domain_count_p1 < .10

I get all kinds of errors when running the below search .. I just do not know how to get the outside search to use the returned time and host values from the sub search.

  1. search earliest =-60m latest=_time host=host | " some other splunk stuff " [ search earliest=5/2/2010:18:00:00 latest=5/3/2010:18:00:00 | bucket _time span=10s | stats count(domain) as domain_count by _time host | autoregress domain_count p=1-5 | where domain_count/domain_count_p1 < .10 | fields _time, host]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-05-2010 06:38 AM

when the fields come out of the subsearch, they'll use the field names that they had in the inner search, cause they dont know any better.

You can see this for yourself, that is see what search is actually getting run in the outer search, by running the whole shebang (getting 0 results), and then going to "actions > Inspect Search" in 4.1.

Scroll down and look for the strange looking "rtlitsearch" entry. Ignore the other weird looking stuff in there cause it doesnt matter, but somewhere in there you'll see the terms that are getting contributed to the outer search from the inner search, and they'll look like : 

last_time=1342143902 last_host=some_host_value start_time=12314124214

which wont work.

if you want time terms to come out, they have to be called earliest and latest and the 'last_host' field should be called just plain old 'host'.

Also i dont think you can use earliest and latest as a part of an OR or anything, so there'll probably have to be a | head 1 in your inner search.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎06-05-2010 06:38 AM

when the fields come out of the subsearch, they'll use the field names that they had in the inner search, cause they dont know any better.

You can see this for yourself, that is see what search is actually getting run in the outer search, by running the whole shebang (getting 0 results), and then going to "actions > Inspect Search" in 4.1.

Scroll down and look for the strange looking "rtlitsearch" entry. Ignore the other weird looking stuff in there cause it doesnt matter, but somewhere in there you'll see the terms that are getting contributed to the outer search from the inner search, and they'll look like : 

last_time=1342143902 last_host=some_host_value start_time=12314124214

which wont work.

if you want time terms to come out, they have to be called earliest and latest and the 'last_host' field should be called just plain old 'host'.

Also i dont think you can use earliest and latest as a part of an OR or anything, so there'll probably have to be a | head 1 in your inner search.

Reply
Solved! Jump to solution

g_prez
Path Finder
‎06-02-2010 06:18 PM

Jacki posted this question for me ...

This was the inner search [search earliest=5/3/2010:17:55:00 latest=5/3/2010:18:00:00 | bucket _time span=10s | stats count(domain) as domain_count by _time host | autoregress domain_count p=1-5 | where domain_count/domain_count_p1 < .10 | eval last_time= _time | eval last_host= host | eval start_time = last_time - 36000 | fields last_time, last_host, start_time]

The above search will return back the time windows and host that I want to do the outer search on ..

search * host=last_host earliest=last_time latest=start_time ...

I get back nothing .. from the outer search ... but the inner search return the results !

Help ... I am not to sure how to get splunk to read the values from the inter search as variables for the search time window and host.

gprez

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎06-02-2010 03:39 PM

I don't know what you are trying to do with this, regardless of the subsearch:

search earliest =-60m latest=_time host=host | " some other splunk stuff "

You already have a time range and host here. How is that supposed to relate to whatever you get back from a subsearch? What is " some other splunk stuff "? A literal? Search commands? Query terms? This matters.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...