Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sub search return value that's not in main search

karthikmalla
Explorer
‎07-09-2018 07:28 PM

I have a Splunk sub search similar to 

index=index1 type="example" [ search index=index2 type="other" | eval nowtime=_time | eval maxtime=_time+30 | fields user] | table user, nowtime, maxtime

Now in index2 there are extra fields as nowtime, maxtime and I need to compare this nowtime & maxtime to index1's event time like index1's _time > nowtime and index1's time < maxtime.

For this I have to return values nowtime & maxtime out of the inner search which I am unable to do.

The inner search is based on a common field called user which is both in index1 and index2. How can I check if the user logged in index2 and then should have a login within 30 seconds in index1..?

Thanks

0 Karma
Reply

manish_singh_77
Builder
‎07-09-2018 11:38 PM

Pls use append, if you want to pass the results of the subsearch to the main search.

index=index1 type="example" | append [ search index=index2 type="other" | eval nowtime=_time | eval maxtime=_time+30 | fields user] | table user, nowtime, maxtime

let me know if it works..

0 Karma
Reply

renjith_nair
Legend
‎07-09-2018 07:52 PM

Hi @karthikmalla ,

Your sub-search is not returning the fields because you have restricted the inner search fields to fields user
Can you please try below and see if it works for you ? You might change the aggregation function based on your events order

(index=index1 OR index=index2) | stats latest(eval(if(index=="index1",_time,NULL))) as index1_time,latest(eval(if(index=="index2",_time,NULL))) as index2_time by user
|eval diff= index2_time- index1_time|where diff <30
Happy Splunking!
Reply

karthikmalla
Explorer
‎07-09-2018 09:39 PM

Actually this is deduping the user which shouldn't happen and also not all users time difference is working. If I run over a full day index1 has around 100,000 results and index2 has 100 results and technically every event in index2 should be in index1 as well (but with time difference) however only 1 or 2 events are displaying. Not sure why the other are ignored.

0 Karma
Reply

renjith_nair
Legend
‎07-09-2018 10:49 PM

alright, can you please try this and let's know 

 index=index1 type="example" |join user type=outer [ search index=index2 type="other" | eval nowtime=_time | eval maxtime=_time+30 | fields nowtime,maxtime] | table _time,user, nowtime, maxtime
Happy Splunking!
0 Karma
Reply

karthikmalla
Explorer
‎07-09-2018 11:14 PM

I tried this before and as I said in my earlier comment index1 has 100,000 results and index2 has 100 results and I need user login in index2 should check with user login in index1 within 30 seconds the way join does is if there is any login in index1 it will still join it. My main blocker is checking 2 events from different index within 30 seconds.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...