How to see if field values from index 1 shows up i...

agoktas · ‎10-17-2017

Do I need to do some fancy joined search here?

I have values that will show in index 2, and I want to check index 1 to see if they exist, then table results.

Is this something that I need to provide a lot more information on? (i.e.: Log examples)

At least some guidance would be helpful. 🙂

Thanks!

pradeepkumarg · ‎10-17-2017

What you are looking for is a sub search. Make sure the field name is same across both the indexes. If not, use the rename command to match the field names

index=myIndex1 [search index=myIndex2 | table myField ]

agoktas · ‎10-17-2017

Awesome! One last thing...

What if I want to have the dates reflect differently between both indexes?

example:
index 1 = All Time
index 2 = Today

How do I restrict to certain time frames within the search example you provided?

Thanks!

pradeepkumarg · ‎10-18-2017

You can specify that by using time modifiers earliest and latest

Below example uses 24h for the outer search and 1h for the inner search

index=myIndex1 earliest=-24h latest=now [search index=myIndex2 earliest=-1h latest=now| table myField ]

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/SearchTimeModifiers

How to see if field values from index 1 shows up in index 2?

Data Preparation Made Easy: SPL2 for Edge Processor

Introducing Edge Processor: Next Gen Data Transformation

Tips & Tricks When Using Ingest Actions