Re: Can we use Start/End times from a query to get...

MSaraswat · ‎01-07-2018

I am able to get the Start/End times of a load test execution from a search query (by getting End time from Timestamp (field) of the log data, and subtracting the duration (field) to get Start time.
Now I want to use this Start time, End time and duration between them in another search query with a different sourcetype such that it would fetch all the data inputs falling within that time duration (between Start/End times) from another app logs - to calculate the average/count of a field.
So, please help me in achieving the desired data with the required search queries (using subsearch/joins etc.)

gcusello · ‎01-07-2018

Hi MSaraswat,
try something like this

index=my_index1 sourcetype=my_sourcetype1 [ search index=my_index2 sourcetype=my_sourcetype2 | rename Timestamp AS latest | eval earliest=strptime(latest,"time_format")-duration | fields earliest latest ]
| ...

(I don't know the Timestamp field format so you have to customize it).

Bye.
Giuseppe

micahkemp · ‎01-07-2018

[search <your search that creates start/end fields> | rename start AS earliest, end AS latest | table earliest latest] <your new search>

As a run-anywhere example:

[| makeresults | eval start=relative_time(now(), "-10min"), end=relative_time(now(), "-5min") | rename start AS earliest, end AS latest | table earliest latest] index=_internal

Note the run-anywhere example doesn't have search in the subsearch (between the []). This is because makeresults is a generating command. I'm assuming your initial search that calculates start/end will use an indexed search, and the search command that would be assumed in your main search string must be explicitly included inside a subsearch.

Can we use Start/End times from a query to get duration to use it in another search query to get an average of a field in that duration ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life