Splunk Search

problem with the nearest time range



I have two files and I want to co-relate based on the "Time Field". Problem is that "Time Field" is not having the same value in both the files, Manually I just take one time from file A and find out the nearest time from second file and put all the values.

Is it possible in SPLUNK to just match the event with the nearest time ( if excat time is not defined ) ...

Please help in this regards,

Thanks in-advance,

Tags (3)
0 Karma


You could use the approach of comparing floating point numbers with each other. There, you do not test floatA == floatB because rounding errors and other nastiness may lead to two different values while mathematically both would be equal. Instead, you define a tolerance within which two values are considered equal: abs(floatA - floatB) < tolerance. How large the tolerance should be depends on the specific use case.

In your situation you could do the same, not look for equal timestamps but rather look for timestamps that are "almost equal". To put some numbers to it, if you get two files every hour but they're off by up to a minute you would not get them with equality but would get them with a tolerance of a minute.

That relies on the tolerance being smaller than the gap between unrelated events of course. Ideally, you would have another means of correlating the two files as Drainy mentioned.

0 Karma


Can you try explaining that again? How do you know they are related if the time doesn't match? Is there another relation you aren't explaining. Have you considered paying for Splunk training? This community is great at helping people learn and overcome challenges but a lot of your challenges are, "How do I do this basic task that is listed in the Splunk documents?"
That suggests that you need to either read the tutorials or pay for training. Of course this may not apply to this question as I can't figure out your problem 🙂