Splunk get inner Query results with in the time frame provided by outer Query

Asked Sep 24 '20 at 21:45

Active Sep 25 '20 at 17:14

Viewed 30 times

-1

Successfully scheduled PushNotification in UserMessageChanelMap LINK_MORE_ACCOUNTS |eval fields=split(raw,"|") | eval messageKey =mvindex(fields,2) |eval num=mvindex(fields,5) | table messageKey_, num | eval scheduledDate = replace(num, "scheduledDate:", "") | eval messageKey = replace(messageKey_,"messageKey:","") | eval newTS=strftime(strptime(scheduledDate, "%a %b %d %H:%M:%S %Z %Y"), "%Y-%m-%d %H:%M:%S") | stats count by newTS,messageKey | stats min(newTS) as fromScheduledDate, max(newTS) as toScheduledDate | appendcols [search ( ("Could not send PushNotification") messageKey:LINK_MORE_ACCOUNTS NOT ("*|reason:Failed to Deliver|") | extract pairdelim="|" kvdelim=":" | table userId,userMessageId,messageKey| stats count by userId,userMessageId,messageKey | table userId,userMessageId, messageKey | stats count as pushFallOffPoints by messageKey ]

Here I want to run my SubQuery with in the time range of fromScehduledDate - toScehduledDate. I was trying to pass these dates to earliest and latest but that did not work. Help is appreciated .

asked Sep 24 '20 at 21:45

Sahithi Mamidi

55
3

The second `stats` line stomps on the first one, as it stands now: `| stats count by newTS,messageKey | stats min(newTS) as fromScheduledDate, max(newTS) as toScheduledDate`. You're only going to get 2 results from the second `stats` - so either don't bother with the first, or you need to rethink what you want the second grouped by. I *suspect* you meant this: `| stats min(newTS) as fromScheduledDate, max(newTS) as toScheduledDate` by messageKey` – warren Sep 25 '20 at 12:06

2 Answers2

0

Subsearches run first so there is no such thing as passing fields into a subsearch. A subsearch, however, can return fields to the main search using the format or return command. Run the subsearch by itself to see what exactly it returns and to verify the returned string makes sense when combined with the main search.

answered Sep 24 '20 at 23:39

RichG

4,202
1
12
23

0

I was able to figure out the solution

( [ search Successfully scheduled PushNotification in LINK_MORE_ACCOUNTS |eval fields=split(raw,"|") | eval messageKey =mvindex(fields,2) |eval num=mvindex(fields,5) | table messageKey_, num | eval scheduledDate = replace(num, "scheduledDate:", "") | eval messageKey = replace(messageKey_,"messageKey:","") | eval newTS=strptime(scheduledDate, "%a %b %d %H:%M:%S %Z %Y") | stats count by newTS,messageKey | stats min(newTS) as earliest | return earliest ] , [ search Successfully scheduled PushNotification in UserMessageChanelMap LINK_MORE_ACCOUNTS |eval fields=split(raw,"|") | eval messageKey =mvindex(fields,2) |eval num=mvindex(fields,5) | table messageKey_, num | eval scheduledDate = replace(num, "scheduledDate:", "") | eval messageKey = replace(messageKey_,"messageKey:","") | eval newTS=strptime(scheduledDate, "%a %b %d %H:%M:%S %Z %Y") | stats count by newTS,messageKey | stats max(newTS) as latest | return latest] ) ( container_name="ace-service") ("Could not send PushNotification") messageKey:LINK_MORE_ACCOUNTS NOT ("*|reason:Failed to Deliver|") | extract pairdelim="|" kvdelim=":" | table userId,userMessageId,messageKey| stats count by userId,userMessageId,messageKey | table userId,userMessageId, messageKey | stats count as pushFallOffPoints by messageKey

answered Sep 25 '20 at 17:14

Sahithi Mamidi

55
3