Solved: Re: メインサーチのイベントの時間をサブサーチに渡したい

midcoffessplunk · ‎12-15-2022

メインサーチのイベントの_timeをサブサーチに渡したいのですが、上手くいきません。

何か方法はありますでしょうか。

index=event_data

|eval earlytime=_time-60 latesttime=_time+60

|fields earlytime,latesttime

[

|search index=event_data2 earliest=earlytime latest=latesttime

|return event_host,event_user

]

|table event_host,event_user

ご助力お願いします。

millarma · ‎02-15-2023

sorry to be so slow to respond. so there are a few ways to do this. starting with your example, you need to change the '=' sign to '>' and '<' signs. so earliest>earlytime latest<latesttime.

This will mean that splunk will show events that happen during the time between those two.

View solution in original post

millarma · ‎02-15-2023

sorry to be so slow to respond. so there are a few ways to do this. starting with your example, you need to change the '=' sign to '>' and '<' signs. so earliest>earlytime latest<latesttime.

This will mean that splunk will show events that happen during the time between those two.

メインサーチのイベントの時間をサブサーチに渡したい

subsearch

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?

メインサーチのイベントの時間をサブサーチに渡したい

subsearch

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!