Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Join two data sets to report their event times

sashpdhar
Explorer
‎11-27-2021 07:57 AM

want to report a pattern for each day and grab event times from different logs for that pattern , tried something like this but not working as expected , need suggestions.

 

Current Query

index="blah" source="*blah*" "Incomming"
| rex "Incomming: (?<s_json>.*])"
| timechart span=1d earliest(_time) as a_time by s_json
| join type=outer s_json
[ search index="blah" source="*blah*" "Internal"
| rex "Internal: (?<s_json>.*])"
| timechart span=1d latest(_time) as c_time by s_json
]
| convert ctime(a_time)
| convert ctime(c_time)
| table _time,s_json,a_time,c_time

 

Expected -

Date1 , j1 , a_time,c_time

Date1,j2,a_time,c_time

Date2,j3,a_time,c_time

Date3,j4,a_time,c_time

Date4,j1,a_time,c_time

Date4,j2,a_time,_ctime

 

Each day can have its own unique patterns ( j1,j2,j3,j4 ... ) , so need to dyamicallly pick that for that day and report a_time and c_time

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-27-2021 10:28 AM

Try something like this

index="blah" source="*blah*" "Incomming"
| rex "Incomming: (?<s_json>.*])"
| bin _time span=1d
| stats earliest(_time) as a_time by _time s_json
| join type=outer _time s_json
[ search index="blah" source="*blah*" "Internal"
| rex "Internal: (?<s_json>.*])"
| bin _time span=1d
| stats latest(_time) as c_time by _time s_json
]
| convert ctime(a_time)
| convert ctime(c_time)
| stats values(a_time) as a_time values(c_time) as c_time by _time s_json
| table _time,s_json,a_time,c_time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-27-2021 10:28 AM

Try something like this

index="blah" source="*blah*" "Incomming"
| rex "Incomming: (?<s_json>.*])"
| bin _time span=1d
| stats earliest(_time) as a_time by _time s_json
| join type=outer _time s_json
[ search index="blah" source="*blah*" "Internal"
| rex "Internal: (?<s_json>.*])"
| bin _time span=1d
| stats latest(_time) as c_time by _time s_json
]
| convert ctime(a_time)
| convert ctime(c_time)
| stats values(a_time) as a_time values(c_time) as c_time by _time s_json
| table _time,s_json,a_time,c_time
0 Karma
Reply
Solved! Jump to solution

sashpdhar
Explorer
‎11-27-2021 01:24 PM

Thanks you , getting below error

Error in 'from' command: Invalid dataset specifier 's_json', expected dataset-type:dataset-name. Verify your search string.

Query - 

 

index="blah" source="*blah*" "Incomming"
| rex "Incomming: (?<s_json>.*])"
| bin _time span=1d
| stats earliest(_time) as a_time by _time s_json
| join type=outer _time s_json
| [search index="blah" source="*blah*" "Internal"
| rex "Internal: (?<s_json>.*])"
| bin _time span=1d
| stats latest(_time) as p_time by _time s_json
]
| convert ctime(a_time)
| convert ctime(p_time)
| stats values(a_time) as a_time values(c_time) as p_time by _time s_json
| table _time,s_json,a_time,p_time

 



0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-27-2021 11:33 PM

If this is your query, you have an extra pipe "|" in the join before the open bracket "["

Also, you aren't using "from" anywhere in the search

If this isn't your actually search, how do you expect us to be able to help you diagnose the problem?

0 Karma
Reply
Solved! Jump to solution

sashpdhar
Explorer
‎11-28-2021 05:53 PM

thanks @ITWhisperer  , it works after that correction.

Sorry first time doing SPL commands , so overlooked  the extra '|' before join

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...