Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Corelating independent searches.

joydeep741
Path Finder
‎06-27-2018 09:57 AM

I have 2 absolutely independent searches.

Search-1 gives me the availability of server throughout the day.
Sample data :
9am - 100
9.30am - 100
10am - 100
10.30am - 0
11am - 100
11.30am - 100

Search-2 gives me the time range for planned outages
10am to 11am
3pm to 4pm

So I have to build a logic to timechart Search-1 and if the time is BETWEEN the planned outage TIME RANGE than hard code the availablity to 100.

I am not able to co relate 2 different searches reffereing 2 different sourcetypes of the same Index.
Need help.

0 Karma
Reply

DalJeanis
Legend
‎06-27-2018 11:24 AM

Rather than trying a join or correlation, there's a much easier way: append the data from the second search to the first search and then use stats to get the max of the two values.

your search that gives your uptime  with _time and status
| append [ search ... your search that gives each time of scheduled outage with _time and status 100 ...]
| stats max(status) as status by _time
0 Karma
Reply

joydeep741
Path Finder
‎06-27-2018 11:54 AM

1) There is no co relation with respect to _time
2) Second search results in start and end time stamps.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...