Getting Data In

How to extract only the values that has the same timestamp from two different fields in a range of time PLEASE HELP ME!!!

danielgp89
Path Finder

Hello!

I have events from two different fields that are correlate each other by the time.

So I want to make a table extracting only those values that were generate at the same time from a range of time of one day.

For example in the table below, there are two values that has the same time:

How can I extract the events that only has the same timestamp from those two fields (MSGNUM=SVM4000I and SVM4874I)

alt text

0 Karma
1 Solution

renjith_nair
Legend

@danielgp89,

Try this and verify if its working for you

"your base search"|eventstats dc(MSGNUM) as c by _time|where c>1

This should result only those events which has at least 2 MSGNUM values of same time

Happy Splunking!

View solution in original post

0 Karma

renjith_nair
Legend

@danielgp89,

Try this and verify if its working for you

"your base search"|eventstats dc(MSGNUM) as c by _time|where c>1

This should result only those events which has at least 2 MSGNUM values of same time

Happy Splunking!
0 Karma

danielgp89
Path Finder

Thanks so much Renjith!

Your going to heaven!

0 Karma
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...