https://community.splunk.com/t5/Splunk-Search/How-to-find-list-of-all-events-within-time-window-of-other/m-p/443060#M125731 <P>Try something like this ...</P> <PRE><CODE> index=A ( ErrorCode=2 OR ErrorCode=3) [ search index=B Criteria=1 | table _time userName | eval earliest=_time | eval latest=_time+60 | fields - _time | format "(" "(" "" ")" "OR" ")" | rex mode=sed field=search "s/\"//g" ] </CODE></PRE> <P>The return values from the search code in square brackets end up being formatted something like this </P> <PRE><CODE>( ( earliest=1536192351.692 latest=1536192411.692 userName=value1 ) OR ( earliest=1536192351.692 latest=1536192411.692 userName=value2 ) OR ... ) </CODE></PRE> <P>Where those 153619235X.XXX values are epoch times. </P> <P>The <CODE>rex</CODE> line kills the quotes around the values, which must be done for the earliest and latest values to be interpreted correctly.</P> <P>If <CODE>userNames</CODE> may contain internal quotes or special characters, then the <CODE>rex</CODE> should be replaced by a <CODE>strftime</CODE> command back when the values of <CODE>earliest</CODE> and <CODE>latest</CODE> are being calculated, to translate them into the character values accepted by Splunk. </P> <P>Let us know if you need that.</P> Wed, 05 Sep 2018 23:54:41 GMT DalJeanis 2018-09-05T23:54:41Z https://community.splunk.com/t5/Splunk-Search/How-to-find-list-of-all-events-within-time-window-of-other/m-p/443059#M125730 <P>I have a query that looks like this:</P> <PRE><CODE> index=A ( ErrorCode=2 OR ErrorCode=3) [ search index=B Criteria=1 | table userName] </CODE></PRE> <P>This query will look for all users that have criteria=1 in their event, and then look to see if they have criteria 2 (in a separate index/sourcetype).</P> <P>However, what I am really looking for is the events that occur 1 minute after Criteria 1 is triggered. I want to see how many users are experiencing errors right after criteria 1 is triggered. With this search, if a user experienced the criteria yesterday, but the errors today, it would show up.</P> <P>I assume I need to carry the <CODE>_time</CODE> field over somehow and marry it to the username? Not sure how to go about doing this.</P> Wed, 05 Sep 2018 00:56:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-list-of-all-events-within-time-window-of-other/m-p/443059#M125730 brajaram 2018-09-05T00:56:16Z https://community.splunk.com/t5/Splunk-Search/How-to-find-list-of-all-events-within-time-window-of-other/m-p/443060#M125731 <P>Try something like this ...</P> <PRE><CODE> index=A ( ErrorCode=2 OR ErrorCode=3) [ search index=B Criteria=1 | table _time userName | eval earliest=_time | eval latest=_time+60 | fields - _time | format "(" "(" "" ")" "OR" ")" | rex mode=sed field=search "s/\"//g" ] </CODE></PRE> <P>The return values from the search code in square brackets end up being formatted something like this </P> <PRE><CODE>( ( earliest=1536192351.692 latest=1536192411.692 userName=value1 ) OR ( earliest=1536192351.692 latest=1536192411.692 userName=value2 ) OR ... ) </CODE></PRE> <P>Where those 153619235X.XXX values are epoch times. </P> <P>The <CODE>rex</CODE> line kills the quotes around the values, which must be done for the earliest and latest values to be interpreted correctly.</P> <P>If <CODE>userNames</CODE> may contain internal quotes or special characters, then the <CODE>rex</CODE> should be replaced by a <CODE>strftime</CODE> command back when the values of <CODE>earliest</CODE> and <CODE>latest</CODE> are being calculated, to translate them into the character values accepted by Splunk. </P> <P>Let us know if you need that.</P> Wed, 05 Sep 2018 23:54:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-list-of-all-events-within-time-window-of-other/m-p/443060#M125731 DalJeanis 2018-09-05T23:54:41Z