How to use date as a parameter along with another ...

liyakath001 · ‎03-26-2018

[search index=pax | table A B D]
[search index=fl | table B C N]

D and N are date times
I need to find all events in second search which happened between D+10 And D+60 mins
ie. all N between D+10 And D+60 on field B.

niketn · ‎03-26-2018

@liyakath001 some mocked up data example of what should be matched in the query result and unmatched would be helpful for us to assist you better!

Based on the query mock up seems like B is the only common field between index pax and index fl. Also are D and N time corresponding to _time in respective index?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

liyakath001 · ‎03-28-2018

@niketnilay any thoughts

liyakath001 · ‎03-26-2018

Hi,
D and N are _time .

Below is a sample

PAX

A B D

A1 B1 26/03/2018 04:00

A2 B1 26/03/2018 05:00

FL

B C N

B1 C1 26/03/2018 04:00

B1 C2 26/03/2018 04:10

B1 C3 26/03/2018 04:20

B1 C4 26/03/2018 04:30

B1 C5 26/03/2018 04:40

B1 C6 26/03/2018 05:00

B1 C7 26/03/2018 05:10

B1 C8 26/03/2018 05:20

B1 C9 26/03/2018 05:30

RESULT

A1 B1 26/03/2018 04:10 C2
A1 B1 26/03/2018 04:20 C3
A1 B1 26/03/2018 04:30 C4
A1 B1 26/03/2018 04:40 C5
A2 B1 26/03/2018 05:10 C7
A2 B1 26/03/2018 05:20 C8
A2 B1 26/03/2018 05:30 C9

I am looking for all events from FL joining on B1 from pax which is between D+10 And D+40

liyakath001 · ‎03-28-2018

@niketnilay any thoughts ?

tiagofbmm · ‎03-26-2018

Hey

Try this [search index=pax | table A B D] [search index=pax | eval earliest=D+10, latest=D+60 | return $earliest,$latest ]

How to use date as a parameter along with another field in Append

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!

What’s New in Splunk Cloud Platform 9.1.2308?