Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Join two queries by nearby event times

chrisboy68
Contributor
‎09-29-2016 12:48 PM

Hi, can't seem to get what I'm looking for working. Here is what I want to do.

Issue a main search of events. Find events around the same time (+/- 10 seconds) around each event of the main search. My result set would be list of events before and after (+/- 10 sec) each main search event.

Any ideas?

Thanks
Chris

Tags (1)
Reply
1 Solution
Solved! Jump to solution

chrisboy68
Contributor
‎09-29-2016 01:17 PM

No, but I did now! Thanks! All working. Didnt know about Map.

Chris

0 Karma
Reply
Solved! Jump to solution

chrisboy68
Contributor
‎09-30-2016 07:10 AM

Hmm, just noticed I'm not getting the results from the base search. Is there a way I can see both the base search and map search as events?

This is what I'm running.

index=myindex AND sourcetype=mysource AND Name="SYSTEM_ERROR"
| eval start_time=_time-10
| eval end_time=start_time+10
| map search="search index=myindex source="anothersource" earliest=$start_time$ latest=$end_time$"

Thanks

Chris

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-30-2016 07:36 AM

Yup... Map uses base search as input and it's search as output for the query. I don't of any better way to have to result of both the queries without appending the base search again, as subsearch, at the end.

base search | map search="some search" | append [search base search]
0 Karma
Reply
Solved! Jump to solution

chrisboy68
Contributor
‎09-30-2016 11:00 AM

Ok thanks!

Chris

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...