Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help to pass time to subsearch?

k31453
Explorer
‎11-14-2022 07:18 PM

Hi, I have SPL which includes just using bunch of lookups and producting following data:

_time turnaround_time diff_time customer product_to product_from
2022-06-30 04:04:43.399 2022-06-30 04:12:53.556 490.156810 nike cat dog
2022-07-07 05:15:14.209 2022-07-07 05:31:22.881  968.671302 adidas bear   cat


I have got another lookup jira_data.csv which contains Jira data associated with it:

Ticket customer Summary Status Created Resolved Updated
COW-245 nike customer complaining open 2022-06-30 03:04:43.399 - 2022-06-30 03:21:43.399
COW-456 nike product change closed 2022-06-30 02:04:43.399  2022-06-30 07:04:43.399 2022-06-30

07:20:43.399

 

I am attempting to do follow:

  • Use turnaround_time and lookup in the jira_data.csv and find all jiras if turnaround_time is around 2h back or front of Resolved.  In this example I am expecting COW-456 as an output.
Labels (1)
Labels
Tags (1)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-15-2022 01:49 AM

As @bowesmana mentioned, your illustrated data and expected result do not match.  Assuming it was a mistype, that the turnaround_time was actually 2022-06-30 05:12:53.556 so it was within 2 hour ahead of 07:04:43, you still need to answer whether any field should match.  Given the mentioning of lookup, I assume that you want to match for customer.  If this is the case, it is a simple exercise of calculating time difference after match, like

| lookup jira_data.csv customer
| where strptime(Revolved, "%Y-%m-%d %H:%M:%S.%3N") - strptime(turnaround_time, "%Y-%m-%d %H:%M:%S.%3N") < 7200

Is this what you are looking for?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-14-2022 08:29 PM

Are you looking at ANY jira_data entry regardless of customer? The COW-456 has a Resolved time of 07:04:43 but there is no turnaround_time that is within two hours of that. My understanding is that you are looking for a turnaround_time that is between 05:04:43.399 and 09:04.43.399

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...