- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Join time selector based on event of main search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Join time selector based on event of main search
Is it possible to do a search with a join and the events from the join search be relative to the time of the events of the main search?
Lets say sourceA returns web server access log. SourceB has a running lists of IP address and systems that were assigned the IP address.
For example, web server log has IP address 192.168.1.2 at around 2 pm. I want to search sourceB from 1pm to 3pm. Both sources have the src_ip field.
Example search:
sourceA | join src_ip [search sourceB]
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is probably not what you want but you may be able to use the map command to get some results:
index=_internal | stats count by host | addinfo |eval info_min_time=info_min_time-3600 | eval info_max_time=info_max_time+3600 | map search="search index=_internal host=$host$ starttimeu=$info_min_time$ endtimeu=$info_max_time$ | fields _raw"
stats is used to return a list of the hosts in the base search
addinfo adds the search timess of the search
the evals change the span to whatever you want (+1h and -1h of the original searchspan)
the map command will loop through every result (the list of hosts with the modified inf_min/max_time fields and do a search you want
Someone else is going to have a better idea ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am running 4.3. The same search worked the next day, but the results were not quite what I was expecting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi agody, I just ran the following search on a test instance and it worked fine index=* | head 10 | rename _time as time | map search="search index=* earliest=$time$" what version of Splunk are you running on
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm. I cant seem to get the map command to work.
Trying a simple search:
sourceA src_ip=X | rename _time as time | map search="index=y earliest=$time$"
Getting: [EventsViewer module] Error in 'map': Did not find value for required attribute 'time'.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
