https://community.splunk.com/t5/Splunk-Search/Join-by-time-range/m-p/526835#M148708 <P>Hi all,</P><P>&nbsp;</P><P>Possible to join 2 search results like following?</P><P>&nbsp;</P><P>Set 1:</P><P>_time&nbsp;</P><P>field1</P><P>field2</P><P>field3 (common field)</P><P>&nbsp;</P><P>Set 2:</P><P>_time&nbsp;&nbsp;</P><P>fieldA (multiple values, contains start/end time)&nbsp;</P><P>fieldB&nbsp;</P><P>field3 (common field)</P><P>&nbsp;</P><P>Then join with common field3, together with:</P><P>&nbsp;</P><P>fieldA (start) &lt; _time (Set1) &lt; fieldA (end)</P><P>&nbsp;</P><P>Thanks a lot.</P><P>Regards</P><P>/stwong</P> Wed, 28 Oct 2020 11:15:56 GMT stwong 2020-10-28T11:15:56Z https://community.splunk.com/t5/Splunk-Search/Join-by-time-range/m-p/526835#M148708 <P>Hi all,</P><P>&nbsp;</P><P>Possible to join 2 search results like following?</P><P>&nbsp;</P><P>Set 1:</P><P>_time&nbsp;</P><P>field1</P><P>field2</P><P>field3 (common field)</P><P>&nbsp;</P><P>Set 2:</P><P>_time&nbsp;&nbsp;</P><P>fieldA (multiple values, contains start/end time)&nbsp;</P><P>fieldB&nbsp;</P><P>field3 (common field)</P><P>&nbsp;</P><P>Then join with common field3, together with:</P><P>&nbsp;</P><P>fieldA (start) &lt; _time (Set1) &lt; fieldA (end)</P><P>&nbsp;</P><P>Thanks a lot.</P><P>Regards</P><P>/stwong</P> Wed, 28 Oct 2020 11:15:56 GMT https://community.splunk.com/t5/Splunk-Search/Join-by-time-range/m-p/526835#M148708 stwong 2020-10-28T11:15:56Z https://community.splunk.com/t5/Splunk-Search/Join-by-time-range/m-p/526837#M148709 <P>Rename _time in query 2 as part of the join, then you will be able to do your comparison / filter after the join</P> Wed, 28 Oct 2020 11:20:46 GMT https://community.splunk.com/t5/Splunk-Search/Join-by-time-range/m-p/526837#M148709 ITWhisperer 2020-10-28T11:20:46Z https://community.splunk.com/t5/Splunk-Search/Join-by-time-range/m-p/526992#M148744 <P>Thanks.&nbsp; Seems if join first with common field3,&nbsp; unable to do filter afterwards. Would you advise how?&nbsp; Sorry for the newbie question.</P><P>Thanks.</P> Thu, 29 Oct 2020 03:10:34 GMT https://community.splunk.com/t5/Splunk-Search/Join-by-time-range/m-p/526992#M148744 stwong 2020-10-29T03:10:34Z https://community.splunk.com/t5/Splunk-Search/Join-by-time-range/m-p/527025#M148763 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/148178">@stwong</a>&nbsp;I don't understand what you mean. Perhaps if you gave some concrete examples of your queries and data we might be able to help more.</P> Thu, 29 Oct 2020 08:55:57 GMT https://community.splunk.com/t5/Splunk-Search/Join-by-time-range/m-p/527025#M148763 ITWhisperer 2020-10-29T08:55:57Z