Splunk Search

Join two queries by nearby event times

Contributor

Hi, can't seem to get what I'm looking for working. Here is what I want to do.

Issue a main search of events. Find events around the same time (+/- 10 seconds) around each event of the main search. My result set would be list of events before and after (+/- 10 sec) each main search event.

Any ideas?

Thanks
Chris

Tags (1)
1 Solution

Contributor

No, but I did now! Thanks! All working. Didnt know about Map.

Chris

0 Karma

Contributor

Hmm, just noticed I'm not getting the results from the base search. Is there a way I can see both the base search and map search as events?

This is what I'm running.

index=myindex AND sourcetype=mysource AND Name="SYSTEMERROR"
| eval start
time=time-10
| eval end
time=starttime+10
| map search="search index=myindex source="anothersource" earliest=$start
time$ latest=$end_time$"

Thanks

Chris

0 Karma

SplunkTrust
SplunkTrust

Yup... Map uses base search as input and it's search as output for the query. I don't of any better way to have to result of both the queries without appending the base search again, as subsearch, at the end.

base search | map search="some search" | append [search base search]
0 Karma

Contributor

Ok thanks!

Chris

0 Karma