Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine a search that relies on latest(_time) for two different fields

ebs
Communicator
‎06-06-2021 03:57 PM

Hi,

I want to create a search that is able to grab both the start and end times of a specific action, but to create the fields they both use latest(_time). Here are the two searches I want to combine:

Start:

index=index_name act="LDAP Synchronization start" | stats latest(_time) as start | eval "LDAP Sync Start"=strftime(start,"%d/%m/%Y %H:%M:%S")

End:

index=index_name act="LDAP Synchronization end" | stats latest(_time) as end | eval "LDAP Sync End"=strftime(end,"%d/%m/%Y %H:%M:%S")

How can I combine these two searches into one search, especially since I rely on the same stats command to create the field?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-06-2021 04:10 PM

Like this

index=index_name act="LDAP Synchronization start" OR act="LDAP Synchronization end"
| stats max(eval(if(act="LDAP Synchronization start", _time, 0))) as start max(eval(if(act="LDAP Synchronization end", _time, 0))) as end
| eval "LDAP Sync Start"=strftime(start,"%d/%m/%Y %H:%M:%S"), "LDAP Sync End"=strftime(end,"%d/%m/%Y %H:%M:%S")

i.e. use an eval in the stats so that the max _time (i.e. latest) of start and end time is evaluated during aggregation.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-06-2021 04:10 PM

Like this

index=index_name act="LDAP Synchronization start" OR act="LDAP Synchronization end"
| stats max(eval(if(act="LDAP Synchronization start", _time, 0))) as start max(eval(if(act="LDAP Synchronization end", _time, 0))) as end
| eval "LDAP Sync Start"=strftime(start,"%d/%m/%Y %H:%M:%S"), "LDAP Sync End"=strftime(end,"%d/%m/%Y %H:%M:%S")

i.e. use an eval in the stats so that the max _time (i.e. latest) of start and end time is evaluated during aggregation.

 

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...