Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Check if a measurement is between startTime and endTime of an incident

dgriffioen
Engager
‎04-06-2019 02:46 AM

Hi,

I have 2 indexes.

measurements - list of all measurements ( _time, transactionId, transTime, resultStatus)
incidents - list of incidents ( _time, transactionId, incidentId, startTime, endTime, valid, checked, comment)

_time in the incidents table is the time that the incident is inserted into Splunk.

i would like to check for each measurement if it was between the startTime and endTime of a valid incident on that transaction and add a field "availability" with 0 if it was in an incident and 1 if it was not to each measurement.

i tried things with map command and join but i cant find the right approach. please help:)

thanks!

Tags (1)
0 Karma
Reply

dgriffioen
Engager
‎04-10-2019 12:44 PM

I have found another angle to this problem so i`m not trying to get this done anymore. im now keeping the incidents separated and calculating duration of incidents, filtering etc. there instead of trying to tie all incidents to a measurement and get one overview of everything. Thanks.

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎04-07-2019 05:58 PM

I don't have a complete answer. I think you want to avoid doing a join especially if your incident table gets big as Splunk joins are quite limited (currently.)

Seems like what you might want is an automatic lookup at search time: https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/DefineanautomaticlookupinSplunkWeb

0 Karma
Reply

woodcock
Esteemed Legend
‎04-07-2019 08:04 AM

Show us your searches!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...