Archive
Highlighted

Search Time interval

Engager

sourcetype=A earliest=10/21/2010:09:0:0 latest=10/21/2010:09:02:0 OR sourcetype=listener earliest=10/21/2010:08:59:0 latest=10/21/2010:09:03:0 | eval x=case(sourcetype=="A" , 1 , sourcetype=="B",2) | stats sum(x) as x by id | fields x,id | where x==1

hello

I have a search problem

I would like to set two times interval ??

Thank you for your help

Tags (1)
0 Karma
Highlighted

Re: Search Time interval

Motivator

You can concatenate the results of 2 searches by using append and the 2 searches can have different time ranges.

sourcetype=A earliest=-30m latest=-20 | append [search sourcetype=B earliest=-25m latest=-15m]

View solution in original post

0 Karma
Highlighted

Re: Search Time interval

Splunk Employee
Splunk Employee

Your original will work fine if you parenthesize correctly and specify your times in an acceptable format:

(sourcetype=A earliest=10/21/2010:09:00:00 latest=10/21/2010:09:02:00) OR (sourcetype=listener earliest=10/21/2010:08:59:00 latest=10/21/2010:09:03:00)

View solution in original post

0 Karma