Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Correlating events and specifying a timerange for how close the events need to be

the_wolverine
Champion
‎01-24-2012 07:08 AM

I'd like to be able to historically search my events and be able to correlate events from 2 different sources. One source is a dhcp log which stores ips and hostnames that are time-specific.

Is there a command that I can use to specify how close the events must be to match? I guess I'm looking for something similar to maxspan in transaction. But I don't want to use transaction due to the expense.

0 Karma
Reply

the_wolverine
Champion
‎02-08-2012 12:43 PM

Its not apparent to me what the value of "log2" should be in your example.

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎01-24-2012 08:20 AM

Here is a link to an Answer from Stephen Sorkin.

http://splunk-base.splunk.com/answers/103/transaction-vs-stats-commands

I believe you can use the "stats range" instead of transaction but it depends on the data. Here is an example:

... | transaction trade_id | chart count by duration span=log2

is the same as:

... | stats range(_time) as duration by trade_id | chart count by duration span=log2
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...