Join and a Transaction with _time within minute?

dgshue — Mon, 28 Sep 2020 13:34:15 GMT

Ok folks, here's a doozy.

Two sets of data, first set of data is needs to be evaluated by a transaction to group a long log together.

index="main" sourcetype=APPPERF | transaction maxspan=0s startswith="Transaction arrived:" endswith="Sent transaction" | search Transaction_Name="App Test Script" | timechart span=10m values(Duration) by Transaction_Name

From this search I can get the "Duration" that the App Test Script took.. great!

My second set of data is bandwidth related.

From this search (found on splunkbase) I am getting my firewall current bandwidth. I've been somewhat successful joining these two together by _time, but my problem with that is that my bandwidth polling and app perf polling are not in sync, so I may only get 2 or 3 records to match.

I'm open to any suggestions on how to get these two data sets into a timechart.

Re: Join and a Transaction with _time within minute?

martin_mueller — Thu, 21 Mar 2013 16:22:55 GMT

If you do a timechart over the same range with the same span twice you can use appendcols to merge them.

topic Re: Join and a Transaction with _time within minute? in Splunk Search

Join and a Transaction with _time within minute?

Re: Join and a Transaction with _time within minute?