https://community.splunk.com/t5/Splunk-Search/Join-time-selector-based-on-event-of-main-search/m-p/60421#M14887 <P>Hi agody, I just ran the following search on a test instance and it worked fine index=* | head 10 | rename _time as time | map search="search index=* earliest=$time$" what version of Splunk are you running on</P> Wed, 12 Jun 2013 20:37:28 GMT chris 2013-06-12T20:37:28Z https://community.splunk.com/t5/Splunk-Search/Join-time-selector-based-on-event-of-main-search/m-p/60418#M14884 <P>Is it possible to do a search with a join and the events from the join search be relative to the time of the events of the main search?</P> <P>Lets say sourceA returns web server access log. SourceB has a running lists of IP address and systems that were assigned the IP address.</P> <P>For example, web server log has IP address 192.168.1.2 at around 2 pm. I want to search sourceB from 1pm to 3pm. Both sources have the src_ip field.</P> <P>Example search:<BR /> sourceA | join src_ip [search sourceB]</P> <P>Any ideas?</P> Tue, 11 Jun 2013 20:49:37 GMT https://community.splunk.com/t5/Splunk-Search/Join-time-selector-based-on-event-of-main-search/m-p/60418#M14884 agodoy 2013-06-11T20:49:37Z https://community.splunk.com/t5/Splunk-Search/Join-time-selector-based-on-event-of-main-search/m-p/60419#M14885 <P>This is probably not what you want but you may be able to use the map command to get some results:</P> <P>index=_internal | stats count by host | addinfo |eval info_min_time=info_min_time-3600 | eval info_max_time=info_max_time+3600 | map search="search index=_internal host=$host$ starttimeu=$info_min_time$ endtimeu=$info_max_time$ | fields _raw"</P> <P>stats is used to return a list of the hosts in the base search <BR /> addinfo adds the search timess of the search<BR /> the evals change the span to whatever you want (+1h and -1h of the original searchspan)<BR /> the map command will loop through every result (the list of hosts with the modified inf_min/max_time fields and do a search you want</P> <P>Someone else is going to have a better idea ...</P> Mon, 28 Sep 2020 14:04:25 GMT https://community.splunk.com/t5/Splunk-Search/Join-time-selector-based-on-event-of-main-search/m-p/60419#M14885 chris 2020-09-28T14:04:25Z https://community.splunk.com/t5/Splunk-Search/Join-time-selector-based-on-event-of-main-search/m-p/60420#M14886 <P>Hmm. I cant seem to get the map command to work.</P> <P>Trying a simple search:<BR /> sourceA src_ip=X | rename _time as time | map search="index=y earliest=$time$"<BR /> Getting: [EventsViewer module] Error in 'map': Did not find value for required attribute 'time'.</P> Tue, 11 Jun 2013 21:45:10 GMT https://community.splunk.com/t5/Splunk-Search/Join-time-selector-based-on-event-of-main-search/m-p/60420#M14886 agodoy 2013-06-11T21:45:10Z https://community.splunk.com/t5/Splunk-Search/Join-time-selector-based-on-event-of-main-search/m-p/60421#M14887 <P>Hi agody, I just ran the following search on a test instance and it worked fine index=* | head 10 | rename _time as time | map search="search index=* earliest=$time$" what version of Splunk are you running on</P> Wed, 12 Jun 2013 20:37:28 GMT https://community.splunk.com/t5/Splunk-Search/Join-time-selector-based-on-event-of-main-search/m-p/60421#M14887 chris 2013-06-12T20:37:28Z https://community.splunk.com/t5/Splunk-Search/Join-time-selector-based-on-event-of-main-search/m-p/60422#M14888 <P>I am running 4.3. The same search worked the next day, but the results were not quite what I was expecting.</P> Fri, 14 Jun 2013 13:11:19 GMT https://community.splunk.com/t5/Splunk-Search/Join-time-selector-based-on-event-of-main-search/m-p/60422#M14888 agodoy 2013-06-14T13:11:19Z