Solved: How to join 2 searches based on time range?

Mattjj · ‎03-25-2022

Hi all,

We have events in a single index for flows into and out of a gateway, I’m trying to link an incoming event with the outgoing:

search 1:

index=vpc | where src=<gateway_out_ip> | table starttime, endtime, src, dest

search 2:

index=vpc | where dest=<gateway_in_ip> AND src=<server_ip> | table starttime, endtime, src, dest

The idea is to join search 1 to search 2 where the starttimes are within 3 seconds of each other, so I can see the dest in search 1 for the <server_ip> In search 2. I tried using transaction but there aren’t any common data between the two searches. I only want to include events from search 1 that have a corresponding (within 3 seconds) event in search 2.

Can anyone advise on the best way to do this?

Thanks

yuanliu · ‎03-25-2022

Try transaction with startswith, endwith, maxspan. Something like

index=vpc (src=<gateway_out_ip> OR dest=<gateway_in_ip> AND src=<server_ip>)
| transaction startswith=eval(src="<gateway_out_ip>") endswith=eval(dest="<gateway_in_ip>" AND src="<server_ip>") maxspan=3s
| table starttime, endtime, src, dest

View solution in original post

yuanliu · ‎03-25-2022

Try transaction with startswith, endwith, maxspan. Something like

index=vpc (src=<gateway_out_ip> OR dest=<gateway_in_ip> AND src=<server_ip>)
| transaction startswith=eval(src="<gateway_out_ip>") endswith=eval(dest="<gateway_in_ip>" AND src="<server_ip>") maxspan=3s
| table starttime, endtime, src, dest

Mattjj · ‎03-25-2022

That works perfectly, thank you!

How to join 2 searches based on time range?

join

transaction

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms