How to pass the time from one query to another que...

Veeru · ‎03-23-2023

Actually I want to pass the time from first query to second and get results out on basis of first query time.
First query
index="A" sourcetype="B" | rex "\d+\-\S+.(?<JobName>\w+)\," | transaction JobName startswith= start endswith=end | table _time _raw
Second Query
index="C" sourcetype="cpu" host="A.local" | eval firsttime=strftime(_time, "%d/%m/%Y %H:%M:%S"), secondtime=strftime(_time, "%d/%m/%Y %H:%M:%S") | where (firsttime >= "26/02/2023 03:03:03") AND (secondtime <= "26/02/2023 04:03:03") | eval Total=(pctSystem+pctUser) | table "firsttime" "host" "secondtime" "Total"
I wanna combine and get the results from first query start and end

gcusello · ‎03-24-2023

Hi @Veeru ,

you need to extract the earliest and latest values from the first search, so try something like this:

index="C" sourcetype="cpu" host="A.local" [ search index="A" sourcetype="B" | rex "\d+\-\S+.(?<JobName>\w+)\," | transaction JobName startswith= start endswith=end | eval earliest=_time, latest=_time+duration | fields earliest latest ]
| eval firsttime=strftime(_time, "%d/%m/%Y %H:%M:%S"), secondtime=strftime(_time, "%d/%m/%Y %H:%M:%S") 
| where (firsttime >= "26/02/2023 03:03:03") AND (secondtime <= "26/02/2023 04:03:03") 
| eval Total=(pctSystem+pctUser) 
| table "firsttime" "host" "secondtime" "Total"

You could also work in avoiding transaction command that's a very slow command.

Ciao.

Giuseppe

How to pass the time from one query to another query?

eval

stats

transaction

Good Sourcetype Naming

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Splunk App for Anomaly Detection End of Life Announcement

Are you a member of the Splunk Community?