How to execute two join queries in different time ...

djroks89 · ‎10-23-2020

Hi Splunk Team,

I have a quick question.

I'm writing a join query wherein i want the query A ("Birth Test") to execute as per the timepicker in Dashboard but the query-B( "Modem Details") should default execute the last 30 days

index="o2a" application="publisher-v2" "Birth Test" "Request received"
| rex field=message "(?msi)(?<json_message>\{.+\})"
| spath input=json_message output=externalReferenceId path=correlationId
| table externalReferenceId,_time
| eval BTActivityStartTime = strftime(_time, "%Y-%m-%d %H:%M:%S") | fields - _time
| join type=outer externalReferenceId
[ search
index="o2a" application="publisher-v2" "Modem Details" "Request received"
| rex field=message "(?msi)(?<json_message>\{.+\})"
| spath input=json_message output=externalReferenceId path=correlationId
| table externalReferenceId,_time
| eval ModemActivityStartTime = strftime(_time, "%Y-%m-%d %H:%M:%S") | fields - _time
]
|table ModemActivityStartTime,BTActivityStartTime,externalReferenceId,OrderID

Could you please assist? Thanks so much.

to4kawa · ‎10-24-2020

please add "earliest" and "latest"

https://community.splunk.com/t5/Splunk-Search/earliest-latest-and-time-variables/m-p/168956

How to execute two join queries in different time interval?

subsearch

Enhance Your Splunk App Development: New Tools & Support

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Are you a member of the Splunk Community?

How to execute two join queries in different time interval?

subsearch

Enhance Your Splunk App Development: New Tools & Support

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code