Splunk Search

join two indexes based on the date and the hour and try to match inside of minute

Jay2024
New Member

We have logs in two different indexes. There is no common field other than the _time . The  timestamp of the events in second index is about 5 seconds further than the events in the first index. How do in  I need to join these two indexes based on the date and the hour and try to match inside of minute?

Thanks,

Labels (3)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

If you only have a common field of _time, are you planning on visual matching and how are you looking to match things inside that minute?

You can also use stats to 'join' data together, but perhaps you can expand on your use case with an example so we can give more useful help.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You can try to align the _time field with bin command and then match events by exactly the same value of that field (you can leave the original value for reference of course).

Or you can use the transaction command (generally, transaction should be avoided since it's relatively resource intensive and has its limitations but sometimes it's the only reasonable solution).

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...