Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to join 2 searches based on time range?

Mattjj
Explorer
‎03-25-2022 01:09 AM

Hi all,

We have events in a single index for flows into and out of a gateway, I’m trying to link an incoming event with the outgoing:

search 1:

index=vpc | where src=<gateway_out_ip> | table starttime, endtime, src, dest

search 2:

index=vpc | where dest=<gateway_in_ip> AND src=<server_ip> | table starttime, endtime, src, dest

 

The idea is to join search 1 to search 2 where the starttimes are within 3 seconds of each other, so I can see the dest in search 1 for the <server_ip> In search 2.  I tried using transaction but there aren’t any common data between the two searches.  I only want to include events from search 1 that have a corresponding (within 3 seconds) event in search 2.

Can anyone advise on the best way to do this?

 

Thanks 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎03-25-2022 02:07 AM

Try transaction with startswith, endwith, maxspan.  Something like

index=vpc (src=<gateway_out_ip> OR dest=<gateway_in_ip> AND src=<server_ip>)
| transaction startswith=eval(src="<gateway_out_ip>") endswith=eval(dest="<gateway_in_ip>" AND src="<server_ip>") maxspan=3s
| table starttime, endtime, src, dest

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎03-25-2022 02:07 AM

Try transaction with startswith, endwith, maxspan.  Something like

index=vpc (src=<gateway_out_ip> OR dest=<gateway_in_ip> AND src=<server_ip>)
| transaction startswith=eval(src="<gateway_out_ip>") endswith=eval(dest="<gateway_in_ip>" AND src="<server_ip>") maxspan=3s
| table starttime, endtime, src, dest

 

0 Karma
Reply
Solved! Jump to solution

Mattjj
Explorer
‎03-25-2022 02:25 AM

That works perfectly, thank you!

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...