Solved: Re: How to search in an index conditioned from the...

spisiakmi · ‎06-02-2020

Hi. I have summary index_sum, which has 2 events, 2 attributes:

A1_sum, A2_sum
1590482539, 7722527
1591080961, 7722525

I have also index2, where a lot of time events are stored. The index time _time is important. I want to search the max(A1_sum) from index_sum and use this value to filter values from the index2.
something like this:
index2
| where _time>max(A1_sum)

can you help me, please, with this problem?

493669 · ‎06-02-2020

I haven't tested but you can try return command like below-

index=index2  |search _time>[search index=index_sum |stats max(A1_sum) as max|return $max]

View solution in original post

493669 · ‎06-02-2020

I haven't tested but you can try return command like below-

index=index2  |search _time>[search index=index_sum |stats max(A1_sum) as max|return $max]

spisiakmi · ‎06-02-2020

Hi 493669. Your answer/help is amazing. It works absolutely great. Thank you very much.

493669 · ‎06-02-2020

@spisiakmi I am converting my comment into answer. Please accept and upvote if it helps.

How to search in an index conditioned from the summary index.

summary indexing

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Are you a member of the Splunk Community?

How to search in an index conditioned from the summary index.

summary indexing

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025