Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using a result from one search in another search

htkhtk
Path Finder
‎09-09-2010 08:56 PM

I am trying to:

  1. Find a date/time of a certain event.
  2. Take that date/time from number 1. and use it to search for events only from that date/time forward.

If the date/time from number 1 was September 1st at 1:45.. Then for number 2, I would only want to get back events from September 1st and forward (forgetting about events before that.)

I need this to be automatic in the searches because the date/time range from number 1 will change based upon different circumstances.

I tried subsearches to no avail.

I am using _time.

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-09-2010 10:22 PM

This should pretty much be it:

sourcetype=outer [ sourcetype=inner item=xxxx | head 1 | rename _time as earliest | fields earliest ]

I use head 1 to ensure just a single result, but if you only get one result some other way, that's fine too.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-09-2010 10:22 PM

This should pretty much be it:

sourcetype=outer [ sourcetype=inner item=xxxx | head 1 | rename _time as earliest | fields earliest ]

I use head 1 to ensure just a single result, but if you only get one result some other way, that's fine too.

0 Karma
Reply
Solved! Jump to solution

dennywebb
Path Finder
‎04-21-2013 12:57 AM

Is there a way to do this same thing... but for multiple results? like if i wanted to show a table full of IP stats/etc limited to the top 10 IP values of only 1 of those stats? or in this example, the earliest 10?

0 Karma
Reply
Solved! Jump to solution

htkhtk
Path Finder
‎09-10-2010 01:04 PM

This is exactly what i wanted.. thanks!

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎09-09-2010 10:33 PM

Yeah if you just want to bound, rather than get exact second, this is better.

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎09-09-2010 09:15 PM

This is pattern is possible using a subsearch, with kind of hack of a special field called 'search', mentioned over here:

http://answers.splunk.com/questions/3471/using-a-subsearch-to-get-the-time-of-an-event

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-09-2010 10:22 PM

you can't use a subsearch with the where command. Please see my other answer.

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎09-09-2010 09:55 PM

In the example given, there would be no where clause. It simply becomes a constraint on the base search, which is vastly more performant. The base search command can and does perform numerical equality testing as well as numerical comparisons.

0 Karma
Reply
Solved! Jump to solution

htkhtk
Path Finder
‎09-09-2010 09:29 PM

I have gotten that far but when I try to do the where _time > [that sub search here].. It doesn't work or sometimes i get an error that says the values aren't compatible

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...