earliest, latest and time variables

antonioformato · ‎05-17-2014

Hi all,
I have a requirement to create a dashboard view with following search:

<searchString>
index="my_index"  publicip="'$ip$'" xxx earliest=T1 latest=T11=T1+3d"
| append 
[search index="my_index"  publicip="'$ip$'" yyy earliest=T01=T0-3d latest=T0]
| transaction framed_ip_address
| table username, privateip, publicip
</searchString>

Time in Subsearch:

T1=T0-3days
T01=earliest in time picker selection (from user)

Time in main search:

 T1=latest in time picker selection (from user)
 T11=T1+3 days

How do i figure out this request?
using Splunk 6.1.1.

Thank you
Antonio

somesoni2 · ‎05-18-2014

Try this

index="my_index"  publicip="'$ip$'" xxx 
[|stats count | addinfo |eval earliest=info_max_time | eval latest=relative_time(info_max_time,"+3d") 
|table earliest, latest |format "" "" "" "" "" "" ]
| append 
[search index="my_index"  publicip="'$ip$'" yyy 
[|stats count | addinfo |eval latest=info_min_time | eval earliest=relative_time(info_max_time,"-3d") 
|table earliest, latest |format "" "" "" "" "" ""]]
| transaction framed_ip_address
| table username, privateip, publicip

somesoni2 · ‎05-19-2014

Try the updated answer.

martin_mueller · ‎05-18-2014

You can get rid of the append entirely like this:

index="my_index" publicip="'$ip$'" [compute earliest=T0-3d and latest=T1+3d]
(
  ( xxx [compute earliest=T1 and latest=T1+3d] )
  OR
  ( yyy [compute earliest=T0-3d and latest=T0] )
)
| transaction, table, whatever

Note, I'm not sure if I've used the correct T0/T1/etc values, adapt as needed.
Note also the need to calculate the overall envelope of time ranges to avoid Splunk searching over all time. Having only the specific time ranges for each OR branch isn't enough.

antonioformato · ‎05-18-2014

It doesn't work.
First error on info_max_time
Second error on append: I cannot use two subsearches after append command.

Any advice is welcome
Thank you
AF

antonioformato · ‎05-18-2014

Hi, example with real time specification:

index="index1" sourcetype="sourcetype1" publicip="'x.x.x.x'"  freed earliest="1/20/2014:12:48:00" latest="1/23/2014:12:48:00"
| append [search index="index1" sourcetype="sourcetype1" publicip="'x.x.x.x'" assigned earliest="1/17/2014:11:48:00" latest="01/20/2014:11:48:00"]
| transaction framed_ip_address, publicportrange startswith=assigned endswith=freed 
| search index="index1" sourcetype="sourcetype1" 
| table username, acct_session_id, acct_unique_id, acct_start_time, acct_stop_time

I tried:

[search index=index1 
| addinfo 
| head 1 
| eval earliest=$field1.earliest$
| eval latest=$field1.earliest$+259200 
| fields earliest,latest 
| format "(" "(" "" ")" "OR" ")" ]
index="index1" sourcetype="sourcetype1" publicip="'$ip$'" freed 
| append 
[ [search index=index1
    | addinfo 
    | head 1 
    | eval earliest=$field1.earliest$-259200
    |eval latest=$field1.latest$ 
    | fields earliest,latest 
    | format "(" "(" "" ")" "OR" ")" ]
    search index="index1" sourcetype="sourcetype1" publicip="'$ip$'" assigned
]
| transaction framed_ip_address, publicportrange startswith=assigned endswith=freed
| search index="index1" sourcetype="sourcetype1"
| table username, acct_session_id, acct_unique_id, acct_start_time, acct_stop_time

with last search I got error on second "head 1".
Thank you
Antonio

martin_mueller · ‎05-17-2014

I think your T0, T1, T01, T11 specifications are a little messed up... or I'm not picking them up properly. Provide an example with actual dates for each to clarify.

Additionally, describe what your actual use case is - maybe there's a less convoluted solution.

earliest, latest and time variables

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...