Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Join two data sets to report their event times

sashpdhar
Explorer
‎11-27-2021 07:57 AM

want to report a pattern for each day and grab event times from different logs for that pattern , tried something like this but not working as expected , need suggestions.

 

Current Query

index="blah" source="*blah*" "Incomming"
| rex "Incomming: (?<s_json>.*])"
| timechart span=1d earliest(_time) as a_time by s_json
| join type=outer s_json
[ search index="blah" source="*blah*" "Internal"
| rex "Internal: (?<s_json>.*])"
| timechart span=1d latest(_time) as c_time by s_json
]
| convert ctime(a_time)
| convert ctime(c_time)
| table _time,s_json,a_time,c_time

 

Expected -

Date1 , j1 , a_time,c_time

Date1,j2,a_time,c_time

Date2,j3,a_time,c_time

Date3,j4,a_time,c_time

Date4,j1,a_time,c_time

Date4,j2,a_time,_ctime

 

Each day can have its own unique patterns ( j1,j2,j3,j4 ... ) , so need to dyamicallly pick that for that day and report a_time and c_time

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-27-2021 10:28 AM

Try something like this

index="blah" source="*blah*" "Incomming"
| rex "Incomming: (?<s_json>.*])"
| bin _time span=1d
| stats earliest(_time) as a_time by _time s_json
| join type=outer _time s_json
[ search index="blah" source="*blah*" "Internal"
| rex "Internal: (?<s_json>.*])"
| bin _time span=1d
| stats latest(_time) as c_time by _time s_json
]
| convert ctime(a_time)
| convert ctime(c_time)
| stats values(a_time) as a_time values(c_time) as c_time by _time s_json
| table _time,s_json,a_time,c_time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-27-2021 10:28 AM

Try something like this

index="blah" source="*blah*" "Incomming"
| rex "Incomming: (?<s_json>.*])"
| bin _time span=1d
| stats earliest(_time) as a_time by _time s_json
| join type=outer _time s_json
[ search index="blah" source="*blah*" "Internal"
| rex "Internal: (?<s_json>.*])"
| bin _time span=1d
| stats latest(_time) as c_time by _time s_json
]
| convert ctime(a_time)
| convert ctime(c_time)
| stats values(a_time) as a_time values(c_time) as c_time by _time s_json
| table _time,s_json,a_time,c_time
0 Karma
Reply
Solved! Jump to solution

sashpdhar
Explorer
‎11-27-2021 01:24 PM

Thanks you , getting below error

Error in 'from' command: Invalid dataset specifier 's_json', expected dataset-type:dataset-name. Verify your search string.

Query - 

 

index="blah" source="*blah*" "Incomming"
| rex "Incomming: (?<s_json>.*])"
| bin _time span=1d
| stats earliest(_time) as a_time by _time s_json
| join type=outer _time s_json
| [search index="blah" source="*blah*" "Internal"
| rex "Internal: (?<s_json>.*])"
| bin _time span=1d
| stats latest(_time) as p_time by _time s_json
]
| convert ctime(a_time)
| convert ctime(p_time)
| stats values(a_time) as a_time values(c_time) as p_time by _time s_json
| table _time,s_json,a_time,p_time

 



0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-27-2021 11:33 PM

If this is your query, you have an extra pipe "|" in the join before the open bracket "["

Also, you aren't using "from" anywhere in the search

If this isn't your actually search, how do you expect us to be able to help you diagnose the problem?

0 Karma
Reply
Solved! Jump to solution

sashpdhar
Explorer
‎11-28-2021 05:53 PM

thanks @ITWhisperer  , it works after that correction.

Sorry first time doing SPL commands , so overlooked  the extra '|' before join

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...