Re: How do I append event(s) fields to a separate ...

kligms · ‎11-19-2018

Hello,

I have two sets of data: Trip Metadata(A) and Individual Trip Coordinates(B).

Set A fields:
- StartTime
- EndTime

Set B fields:
- Coordinates (Latitude and Longitude)
- Timestamp

How do I append the Set B Coordinate fields to events of Set A only if the Set B timestamp is between the Set A Start and End time?

Thanks for reading.

Both sets of data live in the same index but with different source types.

Sample Data:
Set A Trip Metadata (Multiple events(trips))
{ [-]
device_sn: GXXXXXG

id: qwg098wq7wq8

trip_distance_km: 4.927902

trip_end_time: 2018-11-19T23:46:56.0000000-05:00

trip_start_time: 2018-11-19T23:36:35.0000000-05:00

vehicle_name: Eric Jim
vehicle_vin: WG15
},
{ [-]
device_sn: GXXXXXG

id: 23jg9802j32
trip_distance_km: 4.927902

trip_end_time: 2018-11-19T23:06:56.0000000-05:00

trip_start_time: 2018-11-19T23:16:35.0000000-05:00

vehicle_name: Eric Jim

vehicle_vin: WG15
}

Set B Trip Individual Coordinates
{ [-]
device_sn: GXXXXXG

id: 9854gu45g
latitude: 33.7303314
longitude: -116.96965
speed_kph: 0

timestamp: 2018-11-19T23:47:02.0000000-05:00

vehicle_name: Eric Jim

vehicle_vin: WG15
}

laurie_gellatly · ‎11-21-2018

Try this (assuming that 'timestamp' field is actually extracted):

  index="your_index" 
    | strcat timestamp ";" latitude ";" longitude latv
    | eventstats values(latv) as latv by vehicle_vin 
    | where trip_start_time=trip_start_time 
    | mvexpand latv
    | rex field=latv "(?<timestmp>[^;]*);(?<latitude>[^;]*);(?<longitude>.*)"
    | eval ts = strptime(timestmp,"%Y-%m-%dT%H:%M:%S") 
    | eval trip_start_time = strptime(trip_start_time ,"%Y-%m-%dT%H:%M:%S") 
    | eval trip_end_time = strptime(trip_end_time ,"%Y-%m-%dT%H:%M:%S") 
    | where ts>=trip_start_time AND ts <=trip_end_time
    | table trip_distance_km trip_start_time ts trip_end_time vehicle_vin latitude

The evals would not be needed if the timestamps are already able to be numerically compared.
If you need to keep additional fields from the coordinate events then add them to the strcat and the rex lines.

...Laurie:{)

laurie_gellatly · ‎11-19-2018

Could you post some sample data from the index?
index=theindex sourcetype=trip_meta OR sourcetype=trip_coords
So you're saying that _time for the coords is > starttime and < endtime for the trip_meta event (or events)?

kligms · ‎11-20-2018

I added some sample data. Yes, the coords time has to be between the trip meta start and end time. There are multiple trips and there's alot of trip coordinate events.

laurie_gellatly · ‎11-20-2018

It looks like there are additional values that must be used to correlate the events?
Is the 'id' field shown sufficient to associate Set B with Set A data or field 'vehicle_vin' or a combination of both?
The sample data you provided would not correlate any values as the time for Set B data is not within any of Set A event time ranges. The second event, the end_time is before the start_time??? Guess you hand generated this?
Are you trying to achieve an association of the lat/long with the start and end times? Is that the goal?

How do I append event(s) fields to a separate event based on two timestamps?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation