Solved: Re: How to search in an index conditioned from the...

spisiakmi · ‎06-02-2020

Hi. I have summary index_sum, which has 2 events, 2 attributes:

A1_sum, A2_sum
1590482539, 7722527
1591080961, 7722525

I have also index2, where a lot of time events are stored. The index time _time is important. I want to search the max(A1_sum) from index_sum and use this value to filter values from the index2.
something like this:
index2
| where _time>max(A1_sum)

can you help me, please, with this problem?

493669 · ‎06-02-2020

I haven't tested but you can try return command like below-

index=index2  |search _time>[search index=index_sum |stats max(A1_sum) as max|return $max]

View solution in original post

493669 · ‎06-02-2020

I haven't tested but you can try return command like below-

index=index2  |search _time>[search index=index_sum |stats max(A1_sum) as max|return $max]

spisiakmi · ‎06-02-2020

Hi 493669. Your answer/help is amazing. It works absolutely great. Thank you very much.

493669 · ‎06-02-2020

@spisiakmi I am converting my comment into answer. Please accept and upvote if it helps.

How to search in an index conditioned from the summary index.

summary indexing

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!