Solved: two different time modifiers in one search?

p_splunk · ‎02-20-2013

The problem I'm facing is that I want a search that comes up with the possibility to set different time modifiers for different events.
For examples i want all account-registrations of january and all item-buys of january AND february.

I'm aware of the possibility of append (but it only works on results right, is there a similar function to append events?), but since this uses a subsearch which performs badly I'm searching for a different possibilty.

lguinn2 · ‎02-20-2013

Try this:

Search over January + February

(account-registrations) OR (item-buys)
| eval eventCategory = If(somecriteria,"Registration","Buy")
| eval month = if (_time < relative_time(now(),"@mon"),"Last","Current")
| where month = "Last" OR eventCategory="Buy"

I don't have enough information to write the actual search, or the criteria for the first if function. But this is a start... and it does avoid subsearches.

View solution in original post

lguinn2 · ‎02-20-2013

Try this:

Search over January + February

(account-registrations) OR (item-buys)
| eval eventCategory = If(somecriteria,"Registration","Buy")
| eval month = if (_time < relative_time(now(),"@mon"),"Last","Current")
| where month = "Last" OR eventCategory="Buy"

I don't have enough information to write the actual search, or the criteria for the first if function. But this is a start... and it does avoid subsearches.

p_splunk · ‎02-20-2013

thanks for the great answer, performs very well.

two different time modifiers in one search?

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join the Conversation

two different time modifiers in one search?

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA