https://community.splunk.com/t5/Splunk-Search/Find-events-that-occur-after-the-time-returned-from-a-subsearch/m-p/115280#M30530 <P>Thank you, This gets me much closer to what I want to do. The only issue I have now is I have to convert the completed_date to epoch to use it as my comparison value. Dataset2 _time is based off create_date but Dataset1 _time value is not based off of completed_date.</P> <P>Thanks again,<BR /> Paul</P> Mon, 28 Sep 2020 20:01:50 GMT loeweps 2020-09-28T20:01:50Z https://community.splunk.com/t5/Splunk-Search/Find-events-that-occur-after-the-time-returned-from-a-subsearch/m-p/115278#M30528 <P>I have two sets of data. Both have account number and date along with a list of other fields. I want to search for account numbers in dataset 1 and take those account number and find all records that occur after the event for each account number. </P> <P>I assume a subsearch is the best way to do that. </P> <P>If I have <BR /> Dataset1:</P> <PRE><CODE>Account_Num Complete_Date 1 1/5/2015 2 2/3/2015 3 2/6/2015 1 2/9/2015 </CODE></PRE> <P>Dataset2: </P> <PRE><CODE>Account Create_Date 1 1/1/2015 2 2/6/2015 3 2/8/2015 1 2/14/2015 </CODE></PRE> <P>I want to search for and return the account number and completed date and then search the second data set for accounts with a created date of within 14 days of the date from the first search. </P> <P>I was assuming that I should do a subsearch that would return the <CODE>Account_Num</CODE> and <CODE>Complete_Date</CODE> but I am not sure of the best way to have it only search on the <CODE>Account_Num</CODE> and then search within a 14 day window of the <CODE>Complete_Date</CODE> against the <CODE>Create_Date</CODE>. I looked up foreach but wasn't sure if that solves my issue. </P> <P>I want it to return only the three records listed below from Dataset2 because they have a matching account number and have a create date of within 14 days of the data from Dataset1</P> <PRE><CODE>Account Create_Date 2 2/6/2015 3 2/8/2015 1 2/14/2015 </CODE></PRE> <P>Thanks in advance for any help with this as it is appreciated. </P> Wed, 20 May 2015 18:04:48 GMT https://community.splunk.com/t5/Splunk-Search/Find-events-that-occur-after-the-time-returned-from-a-subsearch/m-p/115278#M30528 loeweps 2015-05-20T18:04:48Z https://community.splunk.com/t5/Splunk-Search/Find-events-that-occur-after-the-time-returned-from-a-subsearch/m-p/115279#M30529 <P>Try to avoid subsearches whenever possible. Try this (assuming you are timestamping the events based on the date field values within the events):</P> <PRE><CODE>sourcetype=Dataset1 | stats first(_time) AS latestTime by Account_Num | map search="sourcetype=Dataset2 Account=$Account_Num$ | eval delta=_time - $latestTime$ | where abs(delta)&lt;1209600" </CODE></PRE> Wed, 20 May 2015 20:36:10 GMT https://community.splunk.com/t5/Splunk-Search/Find-events-that-occur-after-the-time-returned-from-a-subsearch/m-p/115279#M30529 woodcock 2015-05-20T20:36:10Z https://community.splunk.com/t5/Splunk-Search/Find-events-that-occur-after-the-time-returned-from-a-subsearch/m-p/115280#M30530 <P>Thank you, This gets me much closer to what I want to do. The only issue I have now is I have to convert the completed_date to epoch to use it as my comparison value. Dataset2 _time is based off create_date but Dataset1 _time value is not based off of completed_date.</P> <P>Thanks again,<BR /> Paul</P> Mon, 28 Sep 2020 20:01:50 GMT https://community.splunk.com/t5/Splunk-Search/Find-events-that-occur-after-the-time-returned-from-a-subsearch/m-p/115280#M30530 loeweps 2020-09-28T20:01:50Z