Splunk Search

How to search for all events that happened one hour before any event from a specific set of events?

Splunk Employee
Splunk Employee

Let's say there's a specific set of events I'm looking at (Events A). Now I want to write a search to return all events that happened one hour before any event in Events A. How can I do that?

0 Karma

Legend
0 Karma

Contributor

Try this :

Logic - So the sub search does this - when eventA occures we get the time for that and compute earliest as {_time - 1 hour and 2 minutes} and latest as {_time - 1 hour}

index=abc sourcetype=xyz [ search index=abc sourcetype=xyz "EventA"
| eval earliest=_time-3720 | eval latest=_time-3600 | fields src_ip earliest latest | FORMAT "(" "(" "" ")" "OR" ")" ]
0 Karma

Splunk Employee
Splunk Employee

Thank you. What's the FORMAT function for?

0 Karma