Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Subsearch with different date range
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkcouch
Explorer
09-13-2012
11:45 AM
Script sends VM configuration information into splunk daily. Trying to get a list of events that existed more than 3 times (3 days). Then I want to take that list and pare it down to the ones that still exist today(because many may not exist anymore since I use this list to remove the cause of the event daily).
source="PS_VM_Config" VMCDMedia="True" earliest=-3d@d | stats count(VMName) AS ConnectedDays, Values(VCenter) AS VCenter BY VMName | where ConnectedDays > 2 | join VMName [search source="PS_VM_Config" VMCDMedia="True" earliest=-1d@d] | table VMName VCenter
Currently I get the full list, not the ones that still exist today. I want to see events that match this criteria: 3 ore more events in the last 3 days and exist within last 24hours.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkcouch
Explorer
09-14-2012
06:15 AM
ytamura got me pointed in the right direction (thanks). join defaults to type=inner, my problem was the date formatting of "Earliest". Once changed to hour format it worked.
source="PS_VM_Config" VMCDMedia="True" earliest=-72h | stats count(VMName) AS ConnectedDays, Values(VCenter) AS VCenter BY VMName | where ConnectedDays > 2 | join [search source="PS_VM_Config" VMCDMedia="True" earliest=-24h] | table VMName VCenter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkcouch
Explorer
09-14-2012
06:15 AM
ytamura got me pointed in the right direction (thanks). join defaults to type=inner, my problem was the date formatting of "Earliest". Once changed to hour format it worked.
source="PS_VM_Config" VMCDMedia="True" earliest=-72h | stats count(VMName) AS ConnectedDays, Values(VCenter) AS VCenter BY VMName | where ConnectedDays > 2 | join [search source="PS_VM_Config" VMCDMedia="True" earliest=-24h] | table VMName VCenter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ytamura
Path Finder
09-13-2012
11:51 AM
You can use the option:
| join type=inner
to only join events that have matching fields. Read more here: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jkcouch
Explorer
09-14-2012
06:09 AM
Thanks you got me pointed in the right direction.
Get Updates on the Splunk Community!
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Announcing the General Availability of Splunk Enterprise Security 8.1!
We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...
Developer Spotlight with William Searle
The Splunk Guy: A Developer’s Path from Web to Cloud
William is a Splunk Professional Services Consultant with ...
