Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Passing event time from subsearch into parent search...

rgonzale6
Path Finder
‎02-15-2011 04:55 PM

I've got a search that results in an IP address. I use that search as a subsearch which takes the IP and uses it as a search arg for the parent search in order to retrieve a hostname from another index. The issue is, the larger the search time the more likely that there is more than one hostname associated with that IP.

Is there any way to pull both an IP and the event's time from the subsearch and use both as args for the parent search?

Here's where I'm at:

[search index="INDEX1" [inputlookup file.csv | fields domain | rename domain as search | format maxresults=3000] | top IP limit=50 | fields IP] index="INDEX2" NOT [inputlookup whitelist.csv |fields hostname|format maxresults=1000] | top hostname by IP

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-15-2011 07:57 PM

It is possible to pass time from a subsearch. Specifying the use case would allow us to help you rewrite/simplify your current search, but here's a basic example of how you can pass time:

* | eval time=_time | search [search source="my.log" parm=option1 | head 2 | eval time=_time | fields time]

Using eval to set another field to _time will work. This search should return all events that correspond in time to any my.log events where parm=option1.

UPDATE:

One thing to note is that your events from multiple sources may not correlate as exact time matches. You might want to round your time values off at the minute or such:

... | eval time=relative_time(_time, "@m")

View solution in original post

Reply
Solved! Jump to solution
Solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-15-2011 07:57 PM

It is possible to pass time from a subsearch. Specifying the use case would allow us to help you rewrite/simplify your current search, but here's a basic example of how you can pass time:

* | eval time=_time | search [search source="my.log" parm=option1 | head 2 | eval time=_time | fields time]

Using eval to set another field to _time will work. This search should return all events that correspond in time to any my.log events where parm=option1.

UPDATE:

One thing to note is that your events from multiple sources may not correlate as exact time matches. You might want to round your time values off at the minute or such:

... | eval time=relative_time(_time, "@m")
Reply
Solved! Jump to solution

rgonzale6
Path Finder
‎02-15-2011 09:57 PM

So would this be my query?

[search index="INDEX1" [inputlookup file.csv | fields domain | rename domain as search | format maxresults=3000] | top IP limit=50 | eval time=relative_time(_time, "@m") | fields Internal_IP,time] index="INDEX2" NOT [inputlookup whitelist.csv |fields hostname|format maxresults=1000] | eval time=relative_time(_time, "@m")| top hostname by IP

0 Karma
Reply
Solved! Jump to solution

rgonzale6
Path Finder
‎02-15-2011 08:56 PM

Sure...Here's my use case. Index2 is searched (via the subsearch) for IP addresses that have been contacted by domains listed in the server-side csv. These IPs are passed up to the parent search to be thrown against Index1, our Active Directory logs. The 'top hostname by IP' would ideally return a list of IPs and hostnames with 100% matching. The issue is, if a large timeframe is used (say, 24 hours) there are times when we catch an IP belonging to two different hostnames.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...