Subsearch time range

szrobag · ‎08-22-2018

Hello,

I'd like to run a subsearch with different time range than the parent search. Have to get mac addresses, and need a bigger time range to see results in DHCP logs. you help what's wrong with this ?

index=fw src_translated_ip="$subsearch_src_ip$"
| dedup src_ip
| rename src_ip as dest_ip
| join type=left max=1 dest_ip [ search index=dhcp earliest=-1h@h sourcetype=isc:dhcp dhcp_type=DHCPACK ]
| table dest_ip dest_mac

thanks

VatsalJagani · ‎06-18-2019

Hello @szrobag,

Your query is absolutely correct if what you want is to give time-range token to outer search and some fix time-range to sub-search.
Let me know if you want to have something else with this or there is some relation between outer queries timerange and sub-search time-range.

niketn · ‎08-23-2018

@szrobag you can add earliest and latest time to both your main search and sub-search as per your use case. The following query finds src_ip for last 15 min and then renames and correlates with subsearch running for last 1 hour.

index=fw src_translated_ip="$subsearch_src_ip$" earliest=-15m@m latest=now 
| dedup src_ip 
| rename src_ip as dest_ip
| join type=left max=1 dest_ip [ search index=dhcp earliest=-1h@h latest=now sourcetype=isc:dhcp dhcp_type=DHCPACK ]
| table dest_ip dest_mac

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

szrobag · ‎08-23-2018

Hi,

Thanks, but i use an dashboard, and would like to use time picker and tokens. If the date token is subsearch_time, can i use it as earliest= $subsearch_time.earliest$ -3600 and latest=$subsearch_time.latest$ ?

iancorrea · ‎06-18-2019

Hi. Do you find any solution to this? I have this problem too. Thanks

halisc · ‎08-22-2018

Hello,

You would like to see the results for how many Mac_Addresses that has logged in the last one hour also logged previously in a bigger range of time.

I think you just need to return dest_ips from your subsearch as src_ip(Since we are joinning. their field names must match) and search it in your main query. Following query should work for you.

index=fw

| dedup src_ip
| join type=left max=1 src_ip
[ search index=dhcp sourcetype=isc:dhcp dhcp_type=DHCPACK earliest=-1h@h
|stats count by dest_ip ] //This will return distinct destination ips in the last hour.
| rename src_ip as dest_ip
| table dest_ip dest_mac

szrobag · ‎08-23-2018

Hello,
Thank you for your reply. I think the structure of my query is okay, but i have only few results because of the subsearch time range.Let me tell you about the details about what i need. The main query looks for IP addresses which had traffic in the selected time range. The time period is pretty short, usually 1-2 mins. Theese addresses are the src_ip's. In the subsearch i am looking for the MAC addresses of the src_ip addresses, not the number of MAC or IP values. I need to use a dhcp log to pair the values filtered DHCPACK type, and that 1-2 min time period is very short to find DHCPACK in the log. The quest would be to run the subsearch 1 or 2 hour time range before the main query. I would try your one tomorrow, hope you had a good idea.

Subsearch time range

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor