Splunk Search

Is it possible to name the main search and the subsearch to distinguish which search produced which values in a table?

peterchow
Explorer

Dear all,

I have a following search

host="1.1.1.1" VPN=A | join IP [search host="1.1.1.1" VPN=b] table _time,username

May I know is it possible give a name to the main search and sub search, such as searchA and searchB. so when I create a table, I can call out searchA._time and searchB._time

Thanks

0 Karma
1 Solution

badrinath_itrs
Communicator

Hi ,

You can try something like this to extract the _time value from main search or sub search .

host="1.1.1.1" VPN=A | eval OuterTime=_time| join IP [search host="1.1.1.1" VPN=b | eval InnerTime=_time ] table _time,username
OuterTime InnerTime

For such requirement, I would prefer to use stats command as it is much faster.

View solution in original post

0 Karma

badrinath_itrs
Communicator

Hi ,

You can try something like this to extract the _time value from main search or sub search .

host="1.1.1.1" VPN=A | eval OuterTime=_time| join IP [search host="1.1.1.1" VPN=b | eval InnerTime=_time ] table _time,username
OuterTime InnerTime

For such requirement, I would prefer to use stats command as it is much faster.

0 Karma

peterchow
Explorer

thanks a lot. It seems work but the time show sequence number. do you know why

0 Karma

badrinath_itrs
Communicator

Hi ,

The time format will be epoch timestamp and you need to convert to Human readable format using below command.

your search .. |convert timeformat="%Y %b %d %H:%M:%S:%3N" ctime(OuterTime) ctime(InnerTime)

Hope this resolves your query.

Additionally if this solves your query, please mark this thread as answered.

0 Karma

peterchow
Explorer

It works. Thanks a lot

0 Karma

sundareshr
Legend

You cannot name a search by you can achieve what you're looking for by renaming the fields in each of the searches, like so.

host="1.1.1.1" VPN=A | eval searchA_time=_time | join IP [search host="1.1.1.1" VPN=b | eval searchB_time=_time | fields searchB_time ] table searchA_time searchB_time username
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...