Splunk Search

Join time selector based on event of main search

agodoy
Communicator

Is it possible to do a search with a join and the events from the join search be relative to the time of the events of the main search?

Lets say sourceA returns web server access log. SourceB has a running lists of IP address and systems that were assigned the IP address.

For example, web server log has IP address 192.168.1.2 at around 2 pm. I want to search sourceB from 1pm to 3pm. Both sources have the src_ip field.

Example search:
sourceA | join src_ip [search sourceB]

Any ideas?

Tags (1)
0 Karma

chris
Motivator

This is probably not what you want but you may be able to use the map command to get some results:

index=_internal | stats count by host | addinfo |eval info_min_time=info_min_time-3600 | eval info_max_time=info_max_time+3600 | map search="search index=_internal host=$host$ starttimeu=$info_min_time$ endtimeu=$info_max_time$ | fields _raw"

stats is used to return a list of the hosts in the base search
addinfo adds the search timess of the search
the evals change the span to whatever you want (+1h and -1h of the original searchspan)
the map command will loop through every result (the list of hosts with the modified inf_min/max_time fields and do a search you want

Someone else is going to have a better idea ...

0 Karma

agodoy
Communicator

I am running 4.3. The same search worked the next day, but the results were not quite what I was expecting.

0 Karma

chris
Motivator

Hi agody, I just ran the following search on a test instance and it worked fine index=* | head 10 | rename _time as time | map search="search index=* earliest=$time$" what version of Splunk are you running on

0 Karma

agodoy
Communicator

Hmm. I cant seem to get the map command to work.

Trying a simple search:
sourceA src_ip=X | rename _time as time | map search="index=y earliest=$time$"
Getting: [EventsViewer module] Error in 'map': Did not find value for required attribute 'time'.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...