Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Join events by closest time

pembleton
Path Finder
‎06-23-2013 11:22 AM

Hello, lets say I have events from two sourcetypes:

  1. time, ip, hostname
  2. time, ip, username

Now I want to match username to hostname based on the time and ip field in the following manner:
ip has to be the same, time has to be the closest time (before or after). Any easy out of the box way for doing that?

Tags (1)
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-23-2013 03:11 PM

If you know the two events are less than n seconds apart you could use transaction on the field ip with a maxspan of n seconds.

Reply

pembleton
Path Finder
‎06-24-2013 11:48 PM

oh, but what I still want is to find the closest one between them, this just gives me a great big list

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-24-2013 02:11 PM

Maybe this is what you need then:

... | eventstats values(username) as users values(hostname) as hosts by ip
0 Karma
Reply

pembleton
Path Finder
‎06-24-2013 11:16 AM

ok, so what i meant is that an event can have numerous partners, meaning many users can come from the same host. and a user could use many hosts.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-24-2013 11:05 AM

Event 12:09 is now closer to 12:11 than to 12:05 so 12:09 must be associated with 12:11 and 12:05 loses its "partner".

0 Karma
Reply

pembleton
Path Finder
‎06-24-2013 10:56 AM

First question - yes
Second - no, why has anything changed?

I'll look into streamstats and come back

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-24-2013 04:19 AM

You could try using streamstats by ip to add recent usernames and recent hostnames to neighbouring events.

Whether that works depends on your data. For example, if you have this set at 12:10:

12:00 1.2.3.4 host=foohost
12:05 1.2.3.4 user=foouser
12:09 1.2.3.4 host=barhost

You would associate 12:05 with 12:09?
What if at 12:11 you get another event like this:

12:11 1.2.3.4 user=baruser

Would you now associate 12:05 with 12:00?

0 Karma
Reply

pembleton
Path Finder
‎06-24-2013 12:39 AM

I have that one ready, but I don't know how far apart they are, I want to find the closest one for each event, with no limit.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...