Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Subsearch time range

szrobag
Explorer
‎08-22-2018 01:01 AM

Hello,

I'd like to run a subsearch with different time range than the parent search. Have to get mac addresses, and need a bigger time range to see results in DHCP logs. you help what's wrong with this ?

index=fw src_translated_ip="$subsearch_src_ip$"
| dedup src_ip
| rename src_ip as dest_ip
| join type=left max=1 dest_ip [ search index=dhcp earliest=-1h@h sourcetype=isc:dhcp dhcp_type=DHCPACK ]
| table dest_ip dest_mac

thanks

Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎06-18-2019 04:36 AM

Hello @szrobag,

Your query is absolutely correct if what you want is to give time-range token to outer search and some fix time-range to sub-search.
Let me know if you want to have something else with this or there is some relation between outer queries timerange and sub-search time-range.

0 Karma
Reply

niketn
Legend
‎08-23-2018 12:42 PM

@szrobag you can add earliest and latest time to both your main search and sub-search as per your use case. The following query finds src_ip for last 15 min and then renames and correlates with subsearch running for last 1 hour.

index=fw src_translated_ip="$subsearch_src_ip$" earliest=-15m@m latest=now 
| dedup src_ip 
| rename src_ip as dest_ip
| join type=left max=1 dest_ip [ search index=dhcp earliest=-1h@h latest=now sourcetype=isc:dhcp dhcp_type=DHCPACK ]
| table dest_ip dest_mac
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

szrobag
Explorer
‎08-23-2018 01:05 PM

Hi,

Thanks, but i use an dashboard, and would like to use time picker and tokens. If the date token is subsearch_time, can i use it as earliest= $subsearch_time.earliest$ -3600 and latest=$subsearch_time.latest$ ?

Reply

iancorrea
Path Finder
‎06-18-2019 01:00 AM

Hi. Do you find any solution to this? I have this problem too. Thanks

0 Karma
Reply

halisc
New Member
‎08-22-2018 01:05 PM

Hello,

You would like to see the results for how many Mac_Addresses that has logged in the last one hour also logged previously in a bigger range of time.

I think you just need to return dest_ips from your subsearch as src_ip(Since we are joinning. their field names must match) and search it in your main query. Following query should work for you.

index=fw

| dedup src_ip
| join type=left max=1 src_ip
[ search index=dhcp sourcetype=isc:dhcp dhcp_type=DHCPACK earliest=-1h@h
|stats count by dest_ip ] //This will return distinct destination ips in the last hour.
| rename src_ip as dest_ip
| table dest_ip dest_mac

0 Karma
Reply

szrobag
Explorer
‎08-23-2018 11:08 AM

Hello,
Thank you for your reply. I think the structure of my query is okay, but i have only few results because of the subsearch time range.Let me tell you about the details about what i need. The main query looks for IP addresses which had traffic in the selected time range. The time period is pretty short, usually 1-2 mins. Theese addresses are the src_ip's. In the subsearch i am looking for the MAC addresses of the src_ip addresses, not the number of MAC or IP values. I need to use a dhcp log to pair the values filtered DHCPACK type, and that 1-2 min time period is very short to find DHCPACK in the log. The quest would be to run the subsearch 1 or 2 hour time range before the main query. I would try your one tomorrow, hope you had a good idea.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...