Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Knowledge Management
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- How to search in an index conditioned from the sum...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spisiakmi
Contributor
06-02-2020
04:37 AM
Hi. I have summary index_sum, which has 2 events, 2 attributes:
A1_sum, A2_sum
1590482539, 7722527
1591080961, 7722525
I have also index2, where a lot of time events are stored. The index time _time is important. I want to search the max(A1_sum) from index_sum and use this value to filter values from the index2.
something like this:
index2
| where _time>max(A1_sum)
can you help me, please, with this problem?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
06-02-2020
04:48 AM
I haven't tested but you can try return command like below-
index=index2 |search _time>[search index=index_sum |stats max(A1_sum) as max|return $max]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
06-02-2020
04:48 AM
I haven't tested but you can try return command like below-
index=index2 |search _time>[search index=index_sum |stats max(A1_sum) as max|return $max]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spisiakmi
Contributor
06-02-2020
06:12 AM
Hi 493669. Your answer/help is amazing. It works absolutely great. Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
06-02-2020
06:19 AM
@spisiakmi I am converting my comment into answer. Please accept and upvote if it helps.
Get Updates on the Splunk Community!
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Splunk AppDynamics Agents Webinar Series
Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...
SplunkTrust Application Period is Officially OPEN!
It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open!
If you ...
