Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

join two indexes based on the date and the hour and try to match inside of minute

Jay2024
New Member
‎02-29-2024 11:36 AM

We have logs in two different indexes. There is no common field other than the _time . The  timestamp of the events in second index is about 5 seconds further than the events in the first index. How do in  I need to join these two indexes based on the date and the hour and try to match inside of minute?

Thanks,

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-03-2024 02:22 PM

If you only have a common field of _time, are you planning on visual matching and how are you looking to match things inside that minute?

You can also use stats to 'join' data together, but perhaps you can expand on your use case with an example so we can give more useful help.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-29-2024 03:27 PM

You can try to align the _time field with bin command and then match events by exactly the same value of that field (you can leave the original value for reference of course).

Or you can use the transaction command (generally, transaction should be avoided since it's relatively resource intensive and has its limitations but sometimes it's the only reasonable solution).

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...