Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Get a time range from subsearch to adjust main search time range

samlinsongguo
Communicator
‎08-23-2017 11:45 PM

Hi
I captured an event, I want to do a search which the time range is based on the previous captured event time.
For example, I do following search 

index=wineventlog source="WinEventLog:Security" Account_Name=abc EventCode=4624 | table _time

this will return me a list of all 4624 events with Account_Name=abc like below

08/24/2017:06:37:11
08/24/2017:09:37:11
......

for each time I want to check whether there is an 4688 event or not in the 5 mins window. to run this manually the search queue will be like this
08/24/2017:06:37:11

index=wineventlog source="WinEventLog:Security" Account_Name=abc EventCode=4688 earliest="08/24/2017:06:37:11" latest="08/24/2017:06:37:11"

08/24/2017:09:37:11
index=wineventlog source="WinEventLog:Security" Account_Name=abc EventCode=4688 earliest="08/24/2017:09:32:11" latest="08/24/2017:09:37:11"
......

I try to do it as subsearch but it does pick the subsearch result as the time range, can anyone give some suggestion please?

index=wineventlog source="WinEventLog:Security" Account_Name=abc EventCode=4688 
    [ search index=wineventlog source="WinEventLog:Security" Account_Name=guos EventCode=4624 
    | eval earliest=strftime(_time,"%m/%d/%d:%H:%M:%S") 
    | eval latest=strftime(_time-600,"%m/%d/%d:%H:%M:%S") 
    | top limit=1 earliest, latest 
    | table earliest, latest
    ]
0 Karma
Reply

DalJeanis
Legend
‎08-24-2017 08:52 AM

Unless there are only a very few of these, the method you are requesting will be very inefficient.

Here's a different way to go about it. Basically, you grab all the 4624 and 4688 records that you might need, sort them into _time (or sometimes reverse _time) order, then copy the 4688 data forward onto any 4624 events that happen for a 5-minute time window. Finally, you throw away all the 4688s and the 4624s that did not find a 4688, and the results are the data you want.

https://answers.splunk.com/answers/564168/joining-two-sets-of-data-by-common-field-numeric-u.html#an...

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...