Solved: How to search in an index conditioned from the sum...

spisiakmi · ‎06-02-2020

Hi. I have summary index_sum, which has 2 events, 2 attributes:

A1_sum, A2_sum
1590482539, 7722527
1591080961, 7722525

I have also index2, where a lot of time events are stored. The index time _time is important. I want to search the max(A1_sum) from index_sum and use this value to filter values from the index2.
something like this:
index2
| where _time>max(A1_sum)

can you help me, please, with this problem?

493669 · ‎06-02-2020

I haven't tested but you can try return command like below-

index=index2  |search _time>[search index=index_sum |stats max(A1_sum) as max|return $max]

View solution in original post

493669 · ‎06-02-2020

I haven't tested but you can try return command like below-

index=index2  |search _time>[search index=index_sum |stats max(A1_sum) as max|return $max]

spisiakmi · ‎06-02-2020

Hi 493669. Your answer/help is amazing. It works absolutely great. Thank you very much.

493669 · ‎06-02-2020

@spisiakmi I am converting my comment into answer. Please accept and upvote if it helps.

How to search in an index conditioned from the summary index.

summary indexing

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Are you a member of the Splunk Community?

How to search in an index conditioned from the summary index.

summary indexing

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency