Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can we use Start/End times from a query to get duration to use it in another search query to get an average of a field in that duration ?

MSaraswat
New Member
‎01-07-2018 07:05 AM

I am able to get the Start/End times of a load test execution from a search query (by getting End time from Timestamp (field) of the log data, and subtracting the duration (field) to get Start time.
Now I want to use this Start time, End time and duration between them in another search query with a different sourcetype such that it would fetch all the data inputs falling within that time duration (between Start/End times) from another app logs - to calculate the average/count of a field.
So, please help me in achieving the desired data with the required search queries (using subsearch/joins etc.)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-07-2018 11:39 PM

Hi MSaraswat,
try something like this

index=my_index1 sourcetype=my_sourcetype1 [ search index=my_index2 sourcetype=my_sourcetype2 | rename Timestamp AS latest | eval earliest=strptime(latest,"time_format")-duration | fields earliest latest ]
| ...

(I don't know the Timestamp field format so you have to customize it).

Bye.
Giuseppe

0 Karma
Reply

micahkemp
Champion
‎01-07-2018 10:20 AM 
[search <your search that creates start/end fields> | rename start AS earliest, end AS latest | table earliest latest] <your new search>

As a run-anywhere example:

[| makeresults | eval start=relative_time(now(), "-10min"), end=relative_time(now(), "-5min") | rename start AS earliest, end AS latest | table earliest latest] index=_internal

Note the run-anywhere example doesn't have search in the subsearch (between the []). This is because makeresults is a generating command. I'm assuming your initial search that calculates start/end will use an indexed search, and the search command that would be assumed in your main search string must be explicitly included inside a subsearch.

Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...