Splunk Search

How to define "latest" based on "earliest" in order to act on the group of events happening in a certain duration.

New Member

I have a search challenge where I need to pick a _time from SearchA and look for all the events happening in SearchB within a certain duration (few minutes). When I used "map" in SearchB with "earliest" taken from SearchA and "latest" to be "earliest" plus few minutes, it does not work at all. This is roughly what I used:

index=ABC sourcetype= STypeA | eval st=_time | map search="search index=ABC sourcetype=STypeB user=xyz earliest=$st$ | eval latest=$st$+3600"

Note that both searches do have same index (=ABC)

I appreciate your help.

Thanks.

Tags (3)
0 Karma

Esteemed Legend

Try this:

index=ABC sourcetype= STypeA | eval lotime=_time | eval hitime=lotime+3600| map search="search index=ABC sourcetype=STypeB user=xyz earliest=$lotime$ latest=$hitime$"
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!