Is it possible to do a search with a join and the events from the join search be relative to the time of the events of the main search?
Lets say sourceA returns web server access log. SourceB has a running lists of IP address and systems that were assigned the IP address.
For example, web server log has IP address 192.168.1.2 at around 2 pm. I want to search sourceB from 1pm to 3pm. Both sources have the src_ip field.
Example search:
sourceA | join src_ip [search sourceB]
Any ideas?
This is probably not what you want but you may be able to use the map command to get some results:
index=_internal | stats count by host | addinfo |eval info_min_time=info_min_time-3600 | eval info_max_time=info_max_time+3600 | map search="search index=_internal host=$host$ starttimeu=$info_min_time$ endtimeu=$info_max_time$ | fields _raw"
stats is used to return a list of the hosts in the base search
addinfo adds the search timess of the search
the evals change the span to whatever you want (+1h and -1h of the original searchspan)
the map command will loop through every result (the list of hosts with the modified inf_min/max_time fields and do a search you want
Someone else is going to have a better idea ...
I am running 4.3. The same search worked the next day, but the results were not quite what I was expecting.
Hi agody, I just ran the following search on a test instance and it worked fine index=* | head 10 | rename _time as time | map search="search index=* earliest=$time$" what version of Splunk are you running on
Hmm. I cant seem to get the map command to work.
Trying a simple search:
sourceA src_ip=X | rename _time as time | map search="index=y earliest=$time$"
Getting: [EventsViewer module] Error in 'map': Did not find value for required attribute 'time'.