Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use values from one search as 'earliest' and 'latest' values in another?

_smp_
Builder
‎06-29-2018 09:54 AM

I have sequence of events from a VPN session. The last message in the sequence contains a field for duration of the session and I have constructed a search which accurately calculates the start time. I would like to use the start time and the end time as earliest and latest constraints to search for and display the value of the src_ip field which is found somewhere in the middle of the session. I've tried lots of different things with varying success. In the end, I want a single row that contains the start, end, duration, user, and src_ip fields.

Here's what I expected to work. My methodology was to find the last event in the session, calculate the session start time, and then pass those values along with some other fields to another search to pull out the value of the src_ip field. In this particular version of my search, I'm getting errors about the values for earliest and latest, though I'm pretty sure this entire approach is wrong anyway. I realize dashboards allow you to use tokens like this, but it's unclear to me how to use field values outside of a dashboard.

index=vpn user=ab12345 Cisco_ASA_message_id=113019
| table index, _time, user, duration
| eval earliest=(_time-duration), latest=_time, session_start=strftime(_time-duration,"%Y-%m-%d %H:%M:%S"), session_end=strftime(_time,"%Y-%m-%d %H:%M:%S"), session_duration=tostring(duration,"duration")
| table index, user, earliest, latest, session_start, session_end, session_duration
| append [search index=$index$ user=$user$ Cisco_ASA_message_id=722051 earliest=$earliest$ latest=$latest$ | table src_ip]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-29-2018 11:28 AM

You can use map command to run another search based off your first search, like this

index=vpn user=ab12345 Cisco_ASA_message_id=113019
 | table index, _time, user, duration
 | eval earliest=(_time-duration), latest=_time, session_start=strftime(_time-duration,"%Y-%m-%d %H:%M:%S"), session_end=strftime(_time,"%Y-%m-%d %H:%M:%S"), session_duration=tostring(duration,"duration")
 | table index, user, earliest, latest, session_start, session_end, session_duration
| map maxsearches=1000 search="search index=$index$ user=$user$ Cisco_ASA_message_id=722051 earliest=$earliest$ latest=$latest$ | table src_ip user| eval session_start=\"$session_start$\", session_end=\"$session_end$\", session_duration=\"$session_duration$\" " 
| table user src_ip session_start session_end session_duration

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎06-29-2018 11:28 AM

You can use map command to run another search based off your first search, like this

index=vpn user=ab12345 Cisco_ASA_message_id=113019
 | table index, _time, user, duration
 | eval earliest=(_time-duration), latest=_time, session_start=strftime(_time-duration,"%Y-%m-%d %H:%M:%S"), session_end=strftime(_time,"%Y-%m-%d %H:%M:%S"), session_duration=tostring(duration,"duration")
 | table index, user, earliest, latest, session_start, session_end, session_duration
| map maxsearches=1000 search="search index=$index$ user=$user$ Cisco_ASA_message_id=722051 earliest=$earliest$ latest=$latest$ | table src_ip user| eval session_start=\"$session_start$\", session_end=\"$session_end$\", session_duration=\"$session_duration$\" " 
| table user src_ip session_start session_end session_duration
Reply
Solved! Jump to solution

_smp_
Builder
‎06-29-2018 12:31 PM

This is nothing short of brilliant! And you taught me a new command! Thank you so much!

There is one detail I am a little bit confused about. I did not expect the eval fields from the first search to be available in events from the map search. In fact, I often get confused about when eval fields are passed through the pipeline. It seems like whenever I need them to, they're not there. But this case is the opposite - I didn't expect them to be available, but yet they are. Is there any statement you could make or insight you are willing to share into how eval works in this case?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-29-2018 01:07 PM

When you run map command, your final output would only have columns/events from your map search (result of each map-subsearch invocation would be appended). So any fields available in main search, would be available as token in map-subsearch, but won't show in results unless you create a new field in map-subsearch with those tokens. We did it here (| eval session_start=\"$session_start$\", session_end=\"$session_end$\", session_duration=\"$session_duration$\"), so those fields are available.

Reply
Solved! Jump to solution

_smp_
Builder
‎06-29-2018 01:12 PM

OMG that is so genius. So many new and great techniques in one post. Thanks again so much!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎06-29-2018 01:41 PM

Glad to be of help. If there are no follow-up question with this query, don't forget to close the question by accepting this as an answer. This will help other Splunkers with similar question to know that a working solution exists.

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...