Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

join results if _time between startTime and finishTime

justme
New Member
‎10-14-2010 06:16 PM

I have one source that provides startTime and finishTime of a test.
I also have a log file that gives me _time and event

I would like to produce a search that will give me the following results

startTime finishTime testResult event1,event2,event3

where the _time on event1,event2,and event3 is between startTime and finishTime

For example

Source 1:
StartTime FinishTime Response
1286345749443 1286345749455 passed
1286345749460 1286345749465 passed
1286345749470 1286345749475 failed

Source 2 timeStamp Event
1286345749471 SocketException
1286345749474 IOException

Result should be
StartTime FinishTime Result Event
1286345749470 1286345749475 failed SocketException, IOException

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-26-2015 09:55 PM

This should do it:

sourcetype=source1 | map search="sourcetype=source2 earliest=$StartTime$ latest=$FinishTime | stats earliest(timestamp) AS StartTime latest(timestamp) AS FinishTime list(Event) as Events"
0 Karma
Reply

justme
New Member
‎10-14-2010 08:29 PM

Source 1:

StartTime FinishTime Response
1286345749443 1286345749455 passed
1286345749460 1286345749465 passed
1286345749470 1286345749475 failed

Source 2
timeStamp Event
1286345749471 SocketException
1286345749474 IOException

Result should be
StartTime FinishTime Result Event
1286345749470 1286345749475 failed SocketException, IOException

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎10-14-2010 06:32 PM

can you provide sample log files for both sources?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...