Solved: correlate events between two indexes with timestam...

sigma · ‎09-02-2023

I have an index A and another index B. logs in A have a correlation to logs in B. But the only common field between them is 'timestamp'. There is a field 'fa' in index A and field 'fb' in index B.

timestamp in index A logs has a +5 minutes drift with index B.
Now I want to write a query to match field 'fa' in index A and find corresponding log based on timestamp (with +5 minutes drift) on index B and get me field 'fb' in index B.

gcusello · ‎09-02-2023

Hi @sigma,

let me understand:

you want to filter the logs from index b using the timeastamp +5min found where in index A the condition is fa="your_value", at least the output is fb, is it correct?

if this is your requirement, you could try something like this:

index=indexB [ | search index=indexA fa="your_value" | eval earliest=_time, latest=relative_time(_time,"+300s") | fields earliest latest ]
| table fb

Ciao.

Giuseppe

View solution in original post

gcusello · ‎09-02-2023

Hi @sigma,

let me understand:

you want to filter the logs from index b using the timeastamp +5min found where in index A the condition is fa="your_value", at least the output is fb, is it correct?

if this is your requirement, you could try something like this:

index=indexB [ | search index=indexA fa="your_value" | eval earliest=_time, latest=relative_time(_time,"+300s") | fields earliest latest ]
| table fb

Ciao.

Giuseppe

sigma · ‎09-02-2023

Hero of the day.
Thank you @gcusello
that was exactly I wanted.
what is I want to get events between timastamps (A and B)? for example I have a time say ''2023-09-02T15:22:04.001854200Z' and one '2023-09-02T15:27:04.001854200Z'.
I want those query except to set the time myself.

Thank you.

correlate events between two indexes with timestamp

subsearch

table

Index This | What gets bigger the more you remove?

Introducing the 2024 Splunk MVPs!

Thanks for the Memories! Splunk University, .conf24, and Community Connections