Find events from two indexes based on a time range

wtaylor149 · ‎05-18-2020

I have a need to reconcile Splunk ES rule changes. I am using the rest API to pull the "updated" rule changes. The issue with this is the logs in splunk don't identify the user who updates the rule. I have another index that is our change management system. This system may or may not have the exact splunk rule somewhere in the description field. The change mgmt system has a beginning and ending time range. The "updated" time should fall w/in that range.

The only way to correlate these two indexes, would be to take the "updated" timestamp and check the change mgmt logs for the "begin_chg_time > updated AND updated < end_chg_time".

Basically I believe I'm stuck on taking the field "updated" and checking for the change record in the change mgmt index.

Any help would be greatly appreciated.

richgalloway · ‎05-18-2020

A subsearch should be able to do that.

 index=bar <your change mgmt search here> 
 [ search index=foo "updated" 
 | eval earliest=relative_time(_time,"-5min@min"), latest=relative_time(_time,"+5min@min") 
 | fields earliest latest 
 | format]

---
If this reply helps you, Karma would be appreciated.

Find events from two indexes based on a time range

correlation search

using Enterprise Security

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms