Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search in an index conditioned from the summary index.

spisiakmi
Communicator
‎06-02-2020 04:37 AM

Hi. I have summary index_sum, which has 2 events, 2 attributes:

A1_sum, A2_sum
1590482539, 7722527
1591080961, 7722525

I have also index2, where a lot of time events are stored. The index time _time is important. I want to search the max(A1_sum) from index_sum and use this value to filter values from the index2.
something like this:
index2
| where _time>max(A1_sum)

can you help me, please, with this problem?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎06-02-2020 04:48 AM

I haven't tested but you can try return command like below-

index=index2  |search _time>[search index=index_sum |stats max(A1_sum) as max|return $max]

View solution in original post

Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎06-02-2020 04:48 AM

I haven't tested but you can try return command like below-

index=index2  |search _time>[search index=index_sum |stats max(A1_sum) as max|return $max]

View solution in original post

Reply
Solved! Jump to solution

spisiakmi
Communicator
‎06-02-2020 06:12 AM

Hi 493669. Your answer/help is amazing. It works absolutely great. Thank you very much.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎06-02-2020 06:19 AM

@spisiakmi I am converting my comment into answer. Please accept and upvote if it helps.

0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!