I have a Splunk sub search similar to
index=index1 type="example" [ search index=index2 type="other" | eval nowtime=_time | eval maxtime=_time+30 | fields user] | table user, nowtime, maxtime
Now in index2 there are extra fields as nowtime, maxtime and I need to compare this nowtime & maxtime to index1's event time like index1's _time > nowtime and index1's time < maxtime.
For this I have to return values nowtime & maxtime out of the inner search which I am unable to do.
The inner search is based on a common field called user which is both in index1 and index2. How can I check if the user logged in index2 and then should have a login within 30 seconds in index1..?
Pls use append, if you want to pass the results of the subsearch to the main search.
index=index1 type="example" | append [ search index=index2 type="other" | eval nowtime=time | eval maxtime=time+30 | fields user] | table user, nowtime, maxtime
let me know if it works..
Hi @karthikmalla ,
Your sub-search is not returning the fields because you have restricted the inner search fields to
Can you please try below and see if it works for you ? You might change the aggregation function based on your events order
(index=index1 OR index=index2) | stats latest(eval(if(index=="index1",_time,NULL))) as index1_time,latest(eval(if(index=="index2",_time,NULL))) as index2_time by user |eval diff= index2_time- index1_time|where diff <30
Actually this is deduping the user which shouldn't happen and also not all users time difference is working. If I run over a full day index1 has around 100,000 results and index2 has 100 results and technically every event in index2 should be in index1 as well (but with time difference) however only 1 or 2 events are displaying. Not sure why the other are ignored.
alright, can you please try this and let's know
index=index1 type="example" |join user type=outer [ search index=index2 type="other" | eval nowtime=_time | eval maxtime=_time+30 | fields nowtime,maxtime] | table _time,user, nowtime, maxtime
I tried this before and as I said in my earlier comment index1 has 100,000 results and index2 has 100 results and I need user login in index2 should check with user login in index1 within 30 seconds the way join does is if there is any login in index1 it will still join it. My main blocker is checking 2 events from different index within 30 seconds.