Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Subsearch with different date range
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkcouch
Explorer
09-13-2012
11:45 AM
Script sends VM configuration information into splunk daily. Trying to get a list of events that existed more than 3 times (3 days). Then I want to take that list and pare it down to the ones that still exist today(because many may not exist anymore since I use this list to remove the cause of the event daily).
source="PS_VM_Config" VMCDMedia="True" earliest=-3d@d | stats count(VMName) AS ConnectedDays, Values(VCenter) AS VCenter BY VMName | where ConnectedDays > 2 | join VMName [search source="PS_VM_Config" VMCDMedia="True" earliest=-1d@d] | table VMName VCenter
Currently I get the full list, not the ones that still exist today. I want to see events that match this criteria: 3 ore more events in the last 3 days and exist within last 24hours.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkcouch
Explorer
09-14-2012
06:15 AM
ytamura got me pointed in the right direction (thanks). join defaults to type=inner, my problem was the date formatting of "Earliest". Once changed to hour format it worked.
source="PS_VM_Config" VMCDMedia="True" earliest=-72h | stats count(VMName) AS ConnectedDays, Values(VCenter) AS VCenter BY VMName | where ConnectedDays > 2 | join [search source="PS_VM_Config" VMCDMedia="True" earliest=-24h] | table VMName VCenter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkcouch
Explorer
09-14-2012
06:15 AM
ytamura got me pointed in the right direction (thanks). join defaults to type=inner, my problem was the date formatting of "Earliest". Once changed to hour format it worked.
source="PS_VM_Config" VMCDMedia="True" earliest=-72h | stats count(VMName) AS ConnectedDays, Values(VCenter) AS VCenter BY VMName | where ConnectedDays > 2 | join [search source="PS_VM_Config" VMCDMedia="True" earliest=-24h] | table VMName VCenter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ytamura
Path Finder
09-13-2012
11:51 AM
You can use the option:
| join type=inner
to only join events that have matching fields. Read more here: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkcouch
Explorer
09-14-2012
06:09 AM
Thanks you got me pointed in the right direction.
Get Updates on the Splunk Community!
Index This | What did the zero say to the eight?
June 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...
This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Now Playing: Splunk Education Summer Learning Premieres
It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
