Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

join two indexes based on the date and the hour and try to match inside of minute

Jay2024
New Member
‎02-29-2024 11:36 AM

We have logs in two different indexes. There is no common field other than the _time . The  timestamp of the events in second index is about 5 seconds further than the events in the first index. How do in  I need to join these two indexes based on the date and the hour and try to match inside of minute?

Thanks,

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-03-2024 02:22 PM

If you only have a common field of _time, are you planning on visual matching and how are you looking to match things inside that minute?

You can also use stats to 'join' data together, but perhaps you can expand on your use case with an example so we can give more useful help.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-29-2024 03:27 PM

You can try to align the _time field with bin command and then match events by exactly the same value of that field (you can leave the original value for reference of course).

Or you can use the transaction command (generally, transaction should be avoided since it's relatively resource intensive and has its limitations but sometimes it's the only reasonable solution).

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...