Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Nested Search

hankmath
Observer
‎02-21-2017 07:56 AM

Hi,
I have two tables:
table1:
share, cost, time
A , 10 , 2017-02-20
A , 14 , 2017-02-21
B , 13 , 2017-02-21
C , 4 , 2017-02-24
C , 11 , 2017-02-24

table2:
share, cost, time, name

A , 11 , 2017-02-20 , Moshe

A , 15 , 2017-02-21, Dani
B , 13 , 2017-02-21 , Rafael
B , 4 , 2017-02-24 , John
C , 11 , 2017-02-24 , George
A , 22 , 2017-02-20 , Yossi
A , 9 , 2017-02-21 , Yossi

I want to look at A rows from table 1 , and choose (from table 2) the A rows with cost in range +-5 of the original cost (we took from table 1) .

I tried to use eval but i think i miss something here

Thanks.

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎02-21-2017 08:29 AM

Give this a try

your search for table 2 with fields share, cost, time, name 
| appeend [search your search for table 1 with fields share, cost, time | rename cost as cost_threshold | eval from="table1"]
| eventstats values(cost_threshold) as cost_threshold by share time | where NOT (from="table1") AND abs(cost-cost_threshold)=5
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...