Solved: Using a subsearch to get the time of an event

jwestberg · ‎06-09-2010

I am trying to get the latest timestamp in the index, and then searching for that time. I constructed a search to accomplish this:

* | head 1 | fields _time

However, putting this into a subsearch, does not return any events.

* [SEARCH * | head 1 | fields _time ]

_time seems to be filtered out of the subsearch results. How do I avoid this?

steveyz · ‎06-09-2010

subsearch results always ignore internal fields (those that start with _) when constructing the outer query.

What you have to do is to set the value of a special field 'search' to contain the exact outer query string you want, i.e.

* [search * | head 1 | eval search = "_time=" . _time | fields search]

gkanapathy · ‎10-18-2012

Really you could do this:

* [ search * | head 1 | eval earliest=_time | eval latest=_time | return earliest,latest ]

steveyz · ‎06-09-2010

subsearch results always ignore internal fields (those that start with _) when constructing the outer query.

What you have to do is to set the value of a special field 'search' to contain the exact outer query string you want, i.e.

* [search * | head 1 | eval search = "_time=" . _time | fields search]

carasso · ‎10-18-2012

Much simpler:

* [ search * | return _time ]

Using a subsearch to get the time of an event