Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to run two searches based on timestamp?

majeedk_nbg
Engager
‎02-01-2023 04:27 AM

I have a dashboard showing website user journey data by reading various elements from a  log message.  Now the structure of logs has been changed in such a way I will have to change my queries to get same data elements. 

Say the logs changed on 1st February and I want to use same dashboard to be able to see data before and after the change. 

So my question is how do I use two queries, on same data source but applying first query before hardcoded time (e.g. 2023-02-01 00:00:00) and other after this time and join the records together to generate my stats. BTW, I also have a global date time picker which dictates how far back in time I perform the search   

 

Labels (4)
Labels
0 Karma
Reply

PaulPanther
Motivator
‎02-01-2023 06:14 AM

If the field names were just changed you could use field aliases.

 Create field aliases in Splunk Web - Splunk Documentation

0 Karma
Reply

majeedk_nbg
Engager
‎02-01-2023 06:22 AM

The log structure has been changed completely.

Before change every thing was extracted using substrings and regex etc because different pieces of information for different event types were just were just concatenated into single message.

But  now the log message has been refactored so all fields i need are already part of message in the format userId="something", email="xyz@gmail.com", and so on. irrespective of type of event, the required field are always populated with a value which is directly use. 

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-01-2023 07:24 AM

You could use conditional evaluations e.g.

| eval userid=if(isnull(userid),substr(_raw,x,y),userid)

or

| eval userid=if(_time<fixedpointintime,substr(_raw,x,y),userid)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...