https://community.splunk.com/t5/Splunk-Search/How-to-find-field-values-from-the-results-of-a-search/m-p/657451#M227087 <P>Hello,</P> <P>I have a search as shown below which gives me the start time (start_run), end time (end_run) and duration when the value of (ValueE) is greater than 20 for the Instrument (my_inst_226).</P> <P>I need to get the values (ValueE) from 11 other Instrument for the duration of&nbsp;my_inst_226 while ValueE is greater than 20</P> <P>I would like to use "start_run" and "end_run"&nbsp; to find the value of (ValueE).&nbsp; I'm thinking that "start_run" and "end_run" would be variables that I can use when searching the ValueE for my 11 other Instruments but I am stuck on how I can use "start_run" and "end_run" for the next stage of my search.</P> <P>&nbsp;</P> <P>index=my_index_plant sourcetype=my_sourcetype_plant Instrument="my_inst_226"<BR />| sort 0 Instrument _time<BR />| streamstats global=false window=1 current=false last(ValueE) as previous by Instrument<BR />| eval current_over=if(ValueE &gt; 20, 1, 0)<BR />| eval previous_over=if(previous &gt; 20, 1, 0)<BR />| eval start=if(current_over=1 and previous_over=0,1,0)<BR />| eval end=if(current_over=0 and previous_over=1,1,0)<BR />| where start=1 OR end=1<BR />| eval start_run=if(start=1, _time, null())<BR />| eval end_run=if(end=1, _time, null())<BR />| filldown start_run end_run<BR />| eval run_duration=end_run-start_run<BR />| eval check=_time<BR />| where end=1<BR />| streamstats count as run_id<BR />| eval earliest=strftime(start_run, "%F %T")<BR />| eval latest=strftime(end_run, "%F %T")<BR />| eval run_duration=tostring(run_duration, "duration")<BR />| table run_id earliest latest start_run end_run run_duration current_over previous_over end Instrument ValueE</P> <P>&nbsp;</P> <P>Any and all tips, help and advice will be gratefully received.</P> Thu, 14 Sep 2023 17:10:05 GMT ewanbrown967 2023-09-14T17:10:05Z https://community.splunk.com/t5/Splunk-Search/How-to-find-field-values-from-the-results-of-a-search/m-p/657451#M227087 <P>Hello,</P> <P>I have a search as shown below which gives me the start time (start_run), end time (end_run) and duration when the value of (ValueE) is greater than 20 for the Instrument (my_inst_226).</P> <P>I need to get the values (ValueE) from 11 other Instrument for the duration of&nbsp;my_inst_226 while ValueE is greater than 20</P> <P>I would like to use "start_run" and "end_run"&nbsp; to find the value of (ValueE).&nbsp; I'm thinking that "start_run" and "end_run" would be variables that I can use when searching the ValueE for my 11 other Instruments but I am stuck on how I can use "start_run" and "end_run" for the next stage of my search.</P> <P>&nbsp;</P> <P>index=my_index_plant sourcetype=my_sourcetype_plant Instrument="my_inst_226"<BR />| sort 0 Instrument _time<BR />| streamstats global=false window=1 current=false last(ValueE) as previous by Instrument<BR />| eval current_over=if(ValueE &gt; 20, 1, 0)<BR />| eval previous_over=if(previous &gt; 20, 1, 0)<BR />| eval start=if(current_over=1 and previous_over=0,1,0)<BR />| eval end=if(current_over=0 and previous_over=1,1,0)<BR />| where start=1 OR end=1<BR />| eval start_run=if(start=1, _time, null())<BR />| eval end_run=if(end=1, _time, null())<BR />| filldown start_run end_run<BR />| eval run_duration=end_run-start_run<BR />| eval check=_time<BR />| where end=1<BR />| streamstats count as run_id<BR />| eval earliest=strftime(start_run, "%F %T")<BR />| eval latest=strftime(end_run, "%F %T")<BR />| eval run_duration=tostring(run_duration, "duration")<BR />| table run_id earliest latest start_run end_run run_duration current_over previous_over end Instrument ValueE</P> <P>&nbsp;</P> <P>Any and all tips, help and advice will be gratefully received.</P> Thu, 14 Sep 2023 17:10:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-field-values-from-the-results-of-a-search/m-p/657451#M227087 ewanbrown967 2023-09-14T17:10:05Z https://community.splunk.com/t5/Splunk-Search/How-to-find-field-values-from-the-results-of-a-search/m-p/657545#M227122 <P>The most blunt way to implement this would be to use the constraint on ValueE as subsearch to establish search period (earliest, latest). &nbsp;I will assume that ValueE and all the other 11 values are already extracted by Splunk. &nbsp;I will call them other_field01, other_field02, etc.</P><P>Here is an idea if you are only interested in distinct values of these.</P><LI-CODE lang="markup">index=my_index_plant sourcetype=my_sourcetype_plant [index=my_index_plant sourcetype=my_sourcetype_plant Instrument="my_inst_226" ValueE &gt; 20 | stats min(_time) as earliest max(_time) as latest] | stats values(other_field01) as other_field01 values(other_field02) as other_field02, ... values(ValueE) as ValueE by Instrument</LI-CODE><P>Hope this helps.</P><P>&nbsp;</P> Thu, 14 Sep 2023 07:15:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-find-field-values-from-the-results-of-a-search/m-p/657545#M227122 yuanliu 2023-09-14T07:15:24Z