Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Correlating events and specifying a timerange for how close the events need to be

the_wolverine
Champion
‎01-24-2012 07:08 AM

I'd like to be able to historically search my events and be able to correlate events from 2 different sources. One source is a dhcp log which stores ips and hostnames that are time-specific.

Is there a command that I can use to specify how close the events must be to match? I guess I'm looking for something similar to maxspan in transaction. But I don't want to use transaction due to the expense.

0 Karma
Reply

the_wolverine
Champion
‎02-08-2012 12:43 PM

Its not apparent to me what the value of "log2" should be in your example.

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎01-24-2012 08:20 AM

Here is a link to an Answer from Stephen Sorkin.

http://splunk-base.splunk.com/answers/103/transaction-vs-stats-commands

I believe you can use the "stats range" instead of transaction but it depends on the data. Here is an example:

... | transaction trade_id | chart count by duration span=log2

is the same as:

... | stats range(_time) as duration by trade_id | chart count by duration span=log2
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...