Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join 2 sourcetype on on field if time difference between 2 records is less than 3 seconds

anujshah
Engager
‎11-09-2017 09:48 AM

So I have 2 different source types which I can join using DEVICE field. But I wan to join records if and only if time difference if less than 3 seconds between them. (If multiple records than take latest one).

Than I want to show records only if some field in one record contain some value but in other record it doesn't contain that value.

I have achieved 2nd part using following query but I want with time condition as well.

index="index1" sourcetype="source1"  | join  DEVICE [search index=index1 sourcetype=source2 STATE=state1 OR STATE=state2 ] | eval state1=if(like(STATE, "%state1%"), 1, 0) | eval state1Control = if(like(CONTROL, "%state1%"), 1, 0) | eval state2=if(like(STATE, "%state2%"), 1, 0) | eval state2Control = if(like(CONTROL, "%state2%"), 1, 0)  | where state1!=state1Control AND state2!=state2Control |  table  _time, DEVICE, STATE, CONTROL
Reply

acharlieh
Influencer
‎11-09-2017 02:50 PM

This feels like a problem for transaction with a specified maxspan but I'd have to think about it more to come up with the exact syntax: http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/transaction

0 Karma
Reply

cmerriman
Super Champion
‎11-09-2017 01:52 PM

can you try to do something like index="index1" sourcetype="source1" |bucket _time as timespan span=3s| join DEVICE timespan [search index=index1 sourcetype=source2 STATE=state1 OR STATE=state2|bucket _time as timespan span=3s ]...
to join on a three second span?
i think there is probably a better way around that using streamstats i'm just trying to think it through

0 Karma
Reply

anujshah
Engager
‎11-09-2017 02:35 PM

Thank you so much for answer. I will try this. But time condition here is a bit complex: If the CONTROL in source1 contains state1 than there should be an entry in source2 which contains state1, now that entry can be there before the time of source1 entry or maximum in 3 seconds not after that the entry of source1.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...