Solved: Join two queries by nearby event times

chrisboy68 · ‎09-29-2016

Hi, can't seem to get what I'm looking for working. Here is what I want to do.

Issue a main search of events. Find events around the same time (+/- 10 seconds) around each event of the main search. My result set would be list of events before and after (+/- 10 sec) each main search event.

Any ideas?

Thanks
Chris

somesoni2 · ‎09-29-2016

Have a look at this

https://answers.splunk.com/answers/321453/how-to-write-a-splunk-search-to-group-a-few-lines.html

View solution in original post

somesoni2 · ‎09-29-2016

Have a look at this

https://answers.splunk.com/answers/321453/how-to-write-a-splunk-search-to-group-a-few-lines.html

chrisboy68 · ‎09-29-2016

No, but I did now! Thanks! All working. Didnt know about Map.

Chris

chrisboy68 · ‎09-30-2016

Hmm, just noticed I'm not getting the results from the base search. Is there a way I can see both the base search and map search as events?

This is what I'm running.

index=myindex AND sourcetype=mysource AND Name="SYSTEM_ERROR"
| eval start_time=_time-10
| eval end_time=start_time+10
| map search="search index=myindex source="anothersource" earliest=$start_time$ latest=$end_time$"

Thanks

Chris

somesoni2 · ‎09-30-2016

Yup... Map uses base search as input and it's search as output for the query. I don't of any better way to have to result of both the queries without appending the base search again, as subsearch, at the end.

base search | map search="some search" | append [search base search]

chrisboy68 · ‎09-30-2016

Ok thanks!

Chris

Join two queries by nearby event times

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?

Join two queries by nearby event times

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!