Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search for all events that happened one hour before any event from a specific set of events?

lilianwong
Splunk Employee
Splunk Employee
‎04-19-2016 09:39 AM

Let's say there's a specific set of events I'm looking at (Events A). Now I want to write a search to return all events that happened one hour before any event in Events A. How can I do that?

0 Karma
Reply

sundareshr
Legend
‎04-19-2016 06:42 PM

Have you looked at the map command. http://docs.splunk.com/Documentation/Splunk/6.0.6/SearchReference/Map

0 Karma
Reply

jensonthottian
Contributor
‎04-19-2016 09:59 AM

Try this :

Logic - So the sub search does this - when eventA occures we get the time for that and compute earliest as {_time - 1 hour and 2 minutes} and latest as {_time - 1 hour}

index=abc sourcetype=xyz [ search index=abc sourcetype=xyz "EventA"
| eval earliest=_time-3720 | eval latest=_time-3600 | fields src_ip earliest latest | FORMAT "(" "(" "" ")" "OR" ")" ]
0 Karma
Reply

lilianwong
Splunk Employee
Splunk Employee
‎06-24-2016 11:19 AM

Thank you. What's the FORMAT function for?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...