Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Subsearch based on if statement

dolfantimmy
Path Finder
‎05-26-2011 01:24 PM

I'm pretty new to this so if this is a newbie question I apologize.

I'm doing a search against a set of log files (i.e. xyz.log). Each event, or record, contains an operation id and a timestamp(down to millisecond), among other things. So, I need no more in the search, UNLESS, the operation is MOVE. If the operation is MOVE, then I need to search for events in another log (abc.log) that have nearly the same time stamp, say, within 500 milliseconds, and display as well.

Tags (4)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-26-2011 05:12 PM

You can use subsearch. It is extremely common, but also not the most intuitive to write:

source=abc.log [ search source=xyz.log "MOVE" | earliest=_time-0.500 | latest=_time+0.500 | fields earliest,latest ]

There's no need for an if, as the conditional logic is implicit in your selection of looking for events containing MOVE.

A search like this is featured on the Splunk Mug, the "What were you doing around the time of the murders?" query.

Reply

dolfantimmy
Path Finder
‎05-27-2011 08:18 AM

What I mean is, I need to have all operations from xyz.log displayed, not just MOVE operations, but should only need to grab data from abc.log if the operation is MOVE. Also, forgive my ignorance, but I get an error when using the syntax you provided. |earliest=my_timestamp_var tells me it doesn't know what earliest is, same with latest.

0 Karma
Reply

dolfantimmy
Path Finder
‎05-27-2011 05:55 AM

Wouldn't this provide me with data for ONLY MOVE operations?

0 Karma
Reply

Glenn
Builder
‎05-27-2011 03:34 AM

So, how do we get a mug? This I can use! I have too many Splunk t-shirts that only seem to come in size L and are way to big for me. 🙂

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-26-2011 03:57 PM

Sounds like a pattern that could be accomplished with transaction. http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction

This would work best if there was some common value (other than time) linking the MOVE event to the abc.log events.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...