Is there a way to run a joined query with differen...

jwhit · ‎07-07-2015

I am trying to run a query that takes the average runtime of log files and compares them to the current run time of log files. They have different dates because the average should only take the completed jobs up to but not including the current day, and the current job should use the timeframe of 24 hours past the current time. Is there anyway I can run both in the same query using a join.

martin_mueller · ‎07-07-2015

You can use different time ranges in subsearches by explicitly specifying earliest= and latest= in the subsearch.

martin_mueller · ‎07-07-2015

Run this over all time and compare the two rows and the info_min_time / info_max_time fields:

| stats count | addinfo | append [search earliest=-5m latest=now | stats count | addinfo]

jwhit · ‎07-08-2015

What should I be looking for in the comparison?

martin_mueller · ‎07-08-2015

One should contain 0 for min, the other should contain whatever epoch time it was five minutes ago.

jwhit · ‎07-07-2015

I have done that but the All-Time preset seems to over ride those dates.

Is there a way to run a joined query with different date parameters. (Not Using Historical Data)

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?

Is there a way to run a joined query with different date parameters. (Not Using Historical Data)

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside