Re: Join Earlier Joins with Later

grex2595 · ‎12-07-2018

I'm doing a join where I want to only get subsearch events that happened before the parent search event. Thus, I'm using:

txnEnd | spath output=custID path=path | join custID [search txnStart | spath output=amount path=path] | table custID, amount

Since txnEnd comes after txnStart , I'm using join's default usetime=true earlier=true. Whether or not I explicitly state these values, I am getting records on the table where txnStart happens after txnEnd (tested by getting the _time of each event and displaying the difference between them).

Why doesn't Splunk only join on the earlier events? What can I do to make it so that txnEnd will only join with events from txnStart that happened before txnEnd ?

Edit

I thought I might mention that the same custID applies to multiple txnEnds and multiple txnStarts. The two events do not have a unique ID that will tie them together, so I have to determine which txnStart belongs to txnEnd based off of which txnStart with the same custID happened the most recently before txnEnd.

nagarjuna280 · ‎12-08-2018

First group all events together, don't use joins.

Pull transaction start and end, If you have these two events in different index OR sourcetypes, then append transaction start events to end using append command

| transaction custID startswith="something which is in transction start events" endwith="something which is in transction end events"

go through Transaction command in Splunk doc, you get to know how to use this command

Join Earlier Joins with Later

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation