Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to join 2 searches using time range?

stwong
Communicator
‎02-14-2018 10:26 AM

Hi all,

We're trying to combine 2 searches:

Search 1:  application transaction log
 ...| transaction connId | eval start=_time | eval end=_time+duration | table start, end, connId, clientIP

Search 2:  VPN log
...| transaction Acct_Session_Id | eval start1=_time | eval end1=_time+duration | table start1, end1, Acct_Session_Id, NAS_IP_Address, UserName

We hope to combine the search by: 

start<=start1 end>=end1 clientIP=NAS_IP_Address

Giving a table of:

start, end, connid, start1, end1, clientIP, start1, end1, Acct_Session_id, NAS_IP_Address, UserName

Tried with left join like "search1 | eval NAS_IP_Address = clientIP | join type=left usetime=true earlier=false NAS_IP_Address [search 2]" but failed.

Would anyone please advise?

Thanks and rgds.
/ST Wong

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎02-14-2018 10:40 AM

have you tried this:

...| transaction connId | eval start=_time | eval end=_time+duration | table start, end, connId, clientIP|join type=left usetime=true earlier=false clientIP[search......| transaction Acct_Session_Id | eval start1=_time | eval end1=_time+duration |rename NAS_IP_Address as clientIP| table start1, end1, Acct_Session_Id, NAS_IP_Address, UserName]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎02-14-2018 10:40 AM

have you tried this:

...| transaction connId | eval start=_time | eval end=_time+duration | table start, end, connId, clientIP|join type=left usetime=true earlier=false clientIP[search......| transaction Acct_Session_Id | eval start1=_time | eval end1=_time+duration |rename NAS_IP_Address as clientIP| table start1, end1, Acct_Session_Id, NAS_IP_Address, UserName]
0 Karma
Reply
Solved! Jump to solution

stwong
Communicator
‎02-20-2018 02:20 AM

Hi, thanks for your help.

The first part of the output table (start, end connId, clientIP) gives 9 lines from Search 1.
The second part of the output table (start1, end1, Acct_Session_Id, NAS_IP_Address, User_Name) returns identical rows, i.e. the same set of values repeated 9 times. I wonder if the usetime option works for transactions in the 2 searches.

I tried using map and seems it works as expected.

Thanks again.
Rgds

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-20-2018 02:46 AM

@stwong,
if it works for you then please accept the answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...