Splunk Search

How to define "latest" based on "earliest" in order to act on the group of events happening in a certain duration.

New Member

I have a search challenge where I need to pick a _time from SearchA and look for all the events happening in SearchB within a certain duration (few minutes). When I used "map" in SearchB with "earliest" taken from SearchA and "latest" to be "earliest" plus few minutes, it does not work at all. This is roughly what I used:

index=ABC sourcetype= STypeA | eval st=_time | map search="search index=ABC sourcetype=STypeB user=xyz earliest=$st$ | eval latest=$st$+3600"

Note that both searches do have same index (=ABC)

I appreciate your help.

Thanks.

Tags (3)
0 Karma

Esteemed Legend

Try this:

index=ABC sourcetype= STypeA | eval lotime=_time | eval hitime=lotime+3600| map search="search index=ABC sourcetype=STypeB user=xyz earliest=$lotime$ latest=$hitime$"
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!