Solved: Search Time interval

grio · ‎10-26-2010

sourcetype=A earliest=10/21/2010:09:0:0 latest=10/21/2010:09:02:0 OR sourcetype=listener earliest=10/21/2010:08:59:0 latest=10/21/2010:09:03:0 | eval x=case(sourcetype=="A" , 1 , sourcetype=="B",2) | stats sum(x) as x by id | fields x,id | where x==1

hello

I have a search problem

I would like to set two times interval ??

Thank you for your help

chris · ‎10-31-2010

You can concatenate the results of 2 searches by using append and the 2 searches can have different time ranges.

sourcetype=A earliest=-30m latest=-20 | append [search sourcetype=B earliest=-25m latest=-15m]

View solution in original post

gkanapathy · ‎10-31-2010

Your original will work fine if you parenthesize correctly and specify your times in an acceptable format:

(sourcetype=A earliest=10/21/2010:09:00:00 latest=10/21/2010:09:02:00) OR (sourcetype=listener earliest=10/21/2010:08:59:00 latest=10/21/2010:09:03:00)

View solution in original post

gkanapathy · ‎10-31-2010

Your original will work fine if you parenthesize correctly and specify your times in an acceptable format:

(sourcetype=A earliest=10/21/2010:09:00:00 latest=10/21/2010:09:02:00) OR (sourcetype=listener earliest=10/21/2010:08:59:00 latest=10/21/2010:09:03:00)

chris · ‎10-31-2010

You can concatenate the results of 2 searches by using append and the 2 searches can have different time ranges.

sourcetype=A earliest=-30m latest=-20 | append [search sourcetype=B earliest=-25m latest=-15m]

Search Time interval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation