Solved: two different time modifiers in one search?

p_splunk · ‎02-20-2013

The problem I'm facing is that I want a search that comes up with the possibility to set different time modifiers for different events.
For examples i want all account-registrations of january and all item-buys of january AND february.

I'm aware of the possibility of append (but it only works on results right, is there a similar function to append events?), but since this uses a subsearch which performs badly I'm searching for a different possibilty.

lguinn2 · ‎02-20-2013

Try this:

Search over January + February

(account-registrations) OR (item-buys)
| eval eventCategory = If(somecriteria,"Registration","Buy")
| eval month = if (_time < relative_time(now(),"@mon"),"Last","Current")
| where month = "Last" OR eventCategory="Buy"

I don't have enough information to write the actual search, or the criteria for the first if function. But this is a start... and it does avoid subsearches.

View solution in original post

lguinn2 · ‎02-20-2013

Try this:

Search over January + February

(account-registrations) OR (item-buys)
| eval eventCategory = If(somecriteria,"Registration","Buy")
| eval month = if (_time < relative_time(now(),"@mon"),"Last","Current")
| where month = "Last" OR eventCategory="Buy"

I don't have enough information to write the actual search, or the criteria for the first if function. But this is a start... and it does avoid subsearches.

p_splunk · ‎02-20-2013

thanks for the great answer, performs very well.

two different time modifiers in one search?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms