https://community.splunk.com/t5/Splunk-Search/Can-we-use-Start-End-times-from-a-query-to-get-duration-to-use/m-p/290166#M87728 <P>I am able to get the Start/End times of a load test execution from a search query (by getting End time from Timestamp (field) of the log data, and subtracting the duration (field) to get Start time.<BR /> Now I want to use this Start time, End time and duration between them in another search query with a different sourcetype such that it would fetch all the data inputs falling within that time duration (between Start/End times) from another app logs - to calculate the average/count of a field.<BR /> So, please help me in achieving the desired data with the required search queries (using subsearch/joins etc.)</P> Sun, 07 Jan 2018 15:05:24 GMT MSaraswat 2018-01-07T15:05:24Z https://community.splunk.com/t5/Splunk-Search/Can-we-use-Start-End-times-from-a-query-to-get-duration-to-use/m-p/290166#M87728 <P>I am able to get the Start/End times of a load test execution from a search query (by getting End time from Timestamp (field) of the log data, and subtracting the duration (field) to get Start time.<BR /> Now I want to use this Start time, End time and duration between them in another search query with a different sourcetype such that it would fetch all the data inputs falling within that time duration (between Start/End times) from another app logs - to calculate the average/count of a field.<BR /> So, please help me in achieving the desired data with the required search queries (using subsearch/joins etc.)</P> Sun, 07 Jan 2018 15:05:24 GMT https://community.splunk.com/t5/Splunk-Search/Can-we-use-Start-End-times-from-a-query-to-get-duration-to-use/m-p/290166#M87728 MSaraswat 2018-01-07T15:05:24Z https://community.splunk.com/t5/Splunk-Search/Can-we-use-Start-End-times-from-a-query-to-get-duration-to-use/m-p/290167#M87729 <PRE><CODE>[search &lt;your search that creates start/end fields&gt; | rename start AS earliest, end AS latest | table earliest latest] &lt;your new search&gt; </CODE></PRE> <P>As a run-anywhere example:</P> <PRE><CODE>[| makeresults | eval start=relative_time(now(), "-10min"), end=relative_time(now(), "-5min") | rename start AS earliest, end AS latest | table earliest latest] index=_internal </CODE></PRE> <P>Note the run-anywhere example doesn't have <CODE>search</CODE> in the subsearch (between the <CODE>[]</CODE>). This is because <CODE>makeresults</CODE> is a generating command. I'm assuming your initial search that calculates start/end will use an indexed search, and the <CODE>search</CODE> command that would be assumed in your main search string must be explicitly included inside a subsearch.</P> Sun, 07 Jan 2018 18:20:20 GMT https://community.splunk.com/t5/Splunk-Search/Can-we-use-Start-End-times-from-a-query-to-get-duration-to-use/m-p/290167#M87729 micahkemp 2018-01-07T18:20:20Z https://community.splunk.com/t5/Splunk-Search/Can-we-use-Start-End-times-from-a-query-to-get-duration-to-use/m-p/290168#M87730 <P>Hi MSaraswat,<BR /> try something like this</P> <PRE><CODE>index=my_index1 sourcetype=my_sourcetype1 [ search index=my_index2 sourcetype=my_sourcetype2 | rename Timestamp AS latest | eval earliest=strptime(latest,"time_format")-duration | fields earliest latest ] | ... </CODE></PRE> <P>(I don't know the Timestamp field format so you have to customize it).</P> <P>Bye.<BR /> Giuseppe</P> Mon, 08 Jan 2018 07:39:36 GMT https://community.splunk.com/t5/Splunk-Search/Can-we-use-Start-End-times-from-a-query-to-get-duration-to-use/m-p/290168#M87730 gcusello 2018-01-08T07:39:36Z