Splunk Search

Passing event time from subsearch into parent search...

rgonzale6
Path Finder

I've got a search that results in an IP address. I use that search as a subsearch which takes the IP and uses it as a search arg for the parent search in order to retrieve a hostname from another index. The issue is, the larger the search time the more likely that there is more than one hostname associated with that IP.

Is there any way to pull both an IP and the event's time from the subsearch and use both as args for the parent search?

Here's where I'm at:

[search index="INDEX1" [inputlookup file.csv | fields domain | rename domain as search | format maxresults=3000] | top IP limit=50 | fields IP] index="INDEX2" NOT [inputlookup whitelist.csv |fields hostname|format maxresults=1000] | top hostname by IP

Tags (2)
1 Solution

Ron_Naken
Splunk Employee
Splunk Employee

It is possible to pass time from a subsearch. Specifying the use case would allow us to help you rewrite/simplify your current search, but here's a basic example of how you can pass time:

* | eval time=_time | search [search source="my.log" parm=option1 | head 2 | eval time=_time | fields time]

Using eval to set another field to _time will work. This search should return all events that correspond in time to any my.log events where parm=option1.

UPDATE:

One thing to note is that your events from multiple sources may not correlate as exact time matches. You might want to round your time values off at the minute or such:

... | eval time=relative_time(_time, "@m")

View solution in original post

Ron_Naken
Splunk Employee
Splunk Employee

It is possible to pass time from a subsearch. Specifying the use case would allow us to help you rewrite/simplify your current search, but here's a basic example of how you can pass time:

* | eval time=_time | search [search source="my.log" parm=option1 | head 2 | eval time=_time | fields time]

Using eval to set another field to _time will work. This search should return all events that correspond in time to any my.log events where parm=option1.

UPDATE:

One thing to note is that your events from multiple sources may not correlate as exact time matches. You might want to round your time values off at the minute or such:

... | eval time=relative_time(_time, "@m")

rgonzale6
Path Finder

So would this be my query?

[search index="INDEX1" [inputlookup file.csv | fields domain | rename domain as search | format maxresults=3000] | top IP limit=50 | eval time=relative_time(_time, "@m") | fields Internal_IP,time] index="INDEX2" NOT [inputlookup whitelist.csv |fields hostname|format maxresults=1000] | eval time=relative_time(_time, "@m")| top hostname by IP

0 Karma

rgonzale6
Path Finder

Sure...Here's my use case. Index2 is searched (via the subsearch) for IP addresses that have been contacted by domains listed in the server-side csv. These IPs are passed up to the parent search to be thrown against Index1, our Active Directory logs. The 'top hostname by IP' would ideally return a list of IPs and hostnames with 100% matching. The issue is, if a large timeframe is used (say, 24 hours) there are times when we catch an IP belonging to two different hostnames.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...