- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: JOIN on "_time +- 3sec"
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JOIN on "_time +- 3sec"
Hi, I'm new to splunk 🙂
This is my query:
* Tagname="series" Wert="54" | JOIN _time [SEARCH Tagname="workload" ] | CHART VALUES(Wert) BY _time *
Goal:
The query above got me nearly 75% of my events. But sometimes the timestamp differs a little bit, so I need to have a tolerance range with +/- 3 seconds for "_time" .
How can I achieve this?
Thanks for your help,
Bastian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could it be the same situation that this one : to pick one event, then run a second search to find the events "around" that event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That goes in the right direction - However it does not fully complete my needs, because it is filtering on a fix amount of results and only in a certain timespan. I want to get always and the timespan should only be respective to the results found in search 1.
-> I have updated the question - I was able to get my results with a join (but not unfortunatly not all of them). Can you help here also?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
it is a little unclear to me if there are 3 fields: "key" "value" and "time" which are all fields, or there are more fields such as "named" which 'series' is a value of and andl "workload" is a field
if the latter, try this search: index=<your_index> sourcetype=<your_sourcetype> named="series" value="54" workload="*" | stats values(workload) as unique_workloads | mvexpand unique_workloads
hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No there are not other fields. field1="workload" and field2="series"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try searching workload=* series=* | bin span=1m _time | stats values(workload) as unique_workloads by _time
hope i understand the question ....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer adonio: I think you got me wrong workload and series are not fields...
I have updated my question and also added a SQL Pseudocode. Do you understand it better now?
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
