Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filtered search from 2 searches

AllenZhang
Explorer
‎10-08-2015 07:35 AM

I have 2 searches:
1. Search(AAA)|rename _time as TimeA|table TimeA host;

2. Search(BBB)|rename _time as TimeB|table TimeB host

How to create a new search:
Search(???)|table host; (or Search(???)|table TimeA TimeB host)

Which will only list the hosts that TimeB is older(or smaller) than TimeA
(there might be more than 1 results TimeA and TimeB for each host, in that case, just pick the latest one to compare)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2015 08:08 AM

This might get you started. There may be other ways to do this, too.

search(AAA) | dedup host | rename _time as TimeA | join host [search (BBB) | dedup host | rename _time as TimeB] | where TimeB < TimeA | table TimeA TimeB host
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2015 08:08 AM

This might get you started. There may be other ways to do this, too.

search(AAA) | dedup host | rename _time as TimeA | join host [search (BBB) | dedup host | rename _time as TimeB] | where TimeB < TimeA | table TimeA TimeB host
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

AllenZhang
Explorer
‎10-08-2015 10:52 AM

Thanks to Richgalloway, it works!
However, some expected records were not there in the result, if I the time window is not long enough.
Any way to list those hosts, which were in results of search(AAA) but not in results of Search(BBB) ?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2015 11:34 AM

This this search:

search(AAA) | dedup host | rename _time as TimeA | join type=outer host [search (BBB) | dedup host | rename _time as TimeB | fillnull value=0 TimeB] | where TimeB < TimeA | table TimeA TimeB host
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

AllenZhang
Explorer
‎10-08-2015 11:49 AM

Great, it works like a charm! I am new to Splunk, and I have learnt a lot here. Thanks again!

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...