Getting Data In

Tag events coming from two sources as Potential and False

veerendra_modi
Loves-to-Learn

I have two sources of events say source_1 and source_2
Both the events are coming to splunk i need to check the id and Timestamp of the event and
if the event coming from both sources at around same time i have to tag it as "Potential" otherwise "False".

The catch is if i get the event at say 3pm from source_1 then my rule should check for the same event from 2:55 to 3:05 for sourcetype_2.
If found tag it as "Potential" otherwise "False".

Please help with this.

Tags (1)
0 Karma