Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can we use Start/End times from a query to get duration to use it in another search query to get an average of a field in that duration ?

MSaraswat
New Member
‎01-07-2018 07:05 AM

I am able to get the Start/End times of a load test execution from a search query (by getting End time from Timestamp (field) of the log data, and subtracting the duration (field) to get Start time.
Now I want to use this Start time, End time and duration between them in another search query with a different sourcetype such that it would fetch all the data inputs falling within that time duration (between Start/End times) from another app logs - to calculate the average/count of a field.
So, please help me in achieving the desired data with the required search queries (using subsearch/joins etc.)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-07-2018 11:39 PM

Hi MSaraswat,
try something like this

index=my_index1 sourcetype=my_sourcetype1 [ search index=my_index2 sourcetype=my_sourcetype2 | rename Timestamp AS latest | eval earliest=strptime(latest,"time_format")-duration | fields earliest latest ]
| ...

(I don't know the Timestamp field format so you have to customize it).

Bye.
Giuseppe

0 Karma
Reply

micahkemp
Champion
‎01-07-2018 10:20 AM 
[search <your search that creates start/end fields> | rename start AS earliest, end AS latest | table earliest latest] <your new search>

As a run-anywhere example:

[| makeresults | eval start=relative_time(now(), "-10min"), end=relative_time(now(), "-5min") | rename start AS earliest, end AS latest | table earliest latest] index=_internal

Note the run-anywhere example doesn't have search in the subsearch (between the []). This is because makeresults is a generating command. I'm assuming your initial search that calculates start/end will use an indexed search, and the search command that would be assumed in your main search string must be explicitly included inside a subsearch.

Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...