Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

two different time modifiers in one search?

p_splunk
Engager
‎02-20-2013 04:18 AM

The problem I'm facing is that I want a search that comes up with the possibility to set different time modifiers for different events.
For examples i want all account-registrations of january and all item-buys of january AND february.

I'm aware of the possibility of append (but it only works on results right, is there a similar function to append events?), but since this uses a subsearch which performs badly I'm searching for a different possibilty.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-20-2013 08:04 AM

Try this:

Search over January + February

(account-registrations) OR (item-buys)
| eval eventCategory = If(somecriteria,"Registration","Buy")
| eval month = if (_time < relative_time(now(),"@mon"),"Last","Current")
| where month = "Last" OR eventCategory="Buy"

I don't have enough information to write the actual search, or the criteria for the first if function. But this is a start... and it does avoid subsearches.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎02-20-2013 08:04 AM

Try this:

Search over January + February

(account-registrations) OR (item-buys)
| eval eventCategory = If(somecriteria,"Registration","Buy")
| eval month = if (_time < relative_time(now(),"@mon"),"Last","Current")
| where month = "Last" OR eventCategory="Buy"

I don't have enough information to write the actual search, or the criteria for the first if function. But this is a start... and it does avoid subsearches.

Reply
Solved! Jump to solution

p_splunk
Engager
‎02-20-2013 10:08 AM

thanks for the great answer, performs very well.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...