join results if _time between startTime and finish...

justme · ‎10-14-2010

I have one source that provides startTime and finishTime of a test.
I also have a log file that gives me _time and event

I would like to produce a search that will give me the following results

startTime finishTime testResult event1,event2,event3

where the _time on event1,event2,and event3 is between startTime and finishTime

For example

Source 1:
StartTime FinishTime Response
1286345749443 1286345749455 passed
1286345749460 1286345749465 passed
1286345749470 1286345749475 failed

Source 2 timeStamp Event
1286345749471 SocketException
1286345749474 IOException

Result should be
StartTime FinishTime Result Event
1286345749470 1286345749475 failed SocketException, IOException

woodcock · ‎05-26-2015

This should do it:

sourcetype=source1 | map search="sourcetype=source2 earliest=$StartTime$ latest=$FinishTime | stats earliest(timestamp) AS StartTime latest(timestamp) AS FinishTime list(Event) as Events"

justme · ‎10-14-2010

Source 1:

StartTime FinishTime Response
1286345749443 1286345749455 passed
1286345749460 1286345749465 passed
1286345749470 1286345749475 failed

Source 2
timeStamp Event
1286345749471 SocketException
1286345749474 IOException

Result should be
StartTime FinishTime Result Event
1286345749470 1286345749475 failed SocketException, IOException

Genti · ‎10-14-2010

can you provide sample log files for both sources?

join results if _time between startTime and finishTime

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)