Splunk Search

comparing earliest of subsearch and main search

jedatt01
Builder

I need figure out a way to take the earliest of a search and subtract it from the earliest of a subsearch to be used in the subsearch. I've tried using addinfo and doing a delta on the info_min_time, but that causes my overlapping events to disappear. I want to use this result to programatically calculate the difference in seconds between the main search and subsearch to be used in the subsearch. My search below and the places I want to replace with the value in bold

index=summary search_name="Events Counts by Message" earliest=-0d@d latest=now MESSAGE_TEXT="Authentication succeeded" | eval reportkey=strftime(now(), "%Y-%m-%d") | addinfo | eval current=info_min_time | append [search index=summary search_name="Events Counts by Message" earliest=-1d@d latest=-0d@d MESSAGE_TEXT="Authentication succeeded" | addinfo | eval _time=_time+**86400** | eval reportkey=strftime(now()-**86400**, "%Y-%m-%d")] | eval key_text = reportkey + " " + MESSAGE_TEXT | timechart span=1h values(count) AS EventCount by key_text
Tags (2)
0 Karma

acharlieh
Influencer

Let's assume no timewrap command, We could do something like this answer and use gentimes and map to loop over the periods we're interested in:

| gentimes start=-1 end=1 
| eventstats max(starttime) as maxstart 
| eval offset=maxstart-starttime 
| map search="
    search starttimeu::$starttime$ endtimeu::$endtime$ index=summary search_name=\"Events Counts by Message\" MESSAGE_TEXT=\"Authentication succeeded\"
    | eval key_text = strftime($starttime$, \"%Y-%m-%d\") + \" \" + MESSAGE_TEXT
    | timechart span=1h count by key_text 
    | eval _time = _time + $offset$
  "
| stats first(*) as * by _time

You could even adjust the start and end on the gentimes and get more or less easily.

jedatt01
Builder

Do the time stamps have to be connected? How could I modify this to compare today to say the same day last week?

0 Karma

acharlieh
Influencer

Replace the gentimes command with something that generates a result with starttime and endtime set to the timestamps of each start and end that you want to compare. Eventstats and the eval figure out the offset and then run the mapped search for each timerange

0 Karma

jedatt01
Builder

Got it to work using a subsearch with gentime and taking the head 1 and tail 1. See code below.

| gentimes start=$start$ end=$end$ | eventstats max(starttime) as maxstart | eval offset=maxstart-starttime | head 1 | append [| gentimes start=$start$ end=$end$ | eventstats max(starttime) as maxstart | eval offset=maxstart-starttime | tail 1]

0 Karma

acharlieh
Influencer

Are you able to install apps on your instance? If so, are you looking for something like the timewrap command ?

0 Karma

jedatt01
Builder

I've seen timewrap, but from what I understand it does one single search over the entire period then you filter down using the date_wday etc. I'm looking for a higher performance method that does the two or more searches independently.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...