Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

join two indexes based on the date and the hour and try to match inside of minute

Jay2024
New Member
‎02-29-2024 11:36 AM

We have logs in two different indexes. There is no common field other than the _time . The  timestamp of the events in second index is about 5 seconds further than the events in the first index. How do in  I need to join these two indexes based on the date and the hour and try to match inside of minute?

Thanks,

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-03-2024 02:22 PM

If you only have a common field of _time, are you planning on visual matching and how are you looking to match things inside that minute?

You can also use stats to 'join' data together, but perhaps you can expand on your use case with an example so we can give more useful help.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-29-2024 03:27 PM

You can try to align the _time field with bin command and then match events by exactly the same value of that field (you can leave the original value for reference of course).

Or you can use the transaction command (generally, transaction should be avoided since it's relatively resource intensive and has its limitations but sometimes it's the only reasonable solution).

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...