×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jsleona
New Member
Member since: ‎02-23-2015
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-23-2015
View All

Saved search table value as array for multi-valued...

by in Splunk Dev
‎08-27-2017 08:17 AM
‎08-27-2017 08:17 AM
Hello I am doing a search that results in a table with these values... "| table _time, recState, context, message.connID, message.timeStamp.timeinSecs, message.agentID, message.aNI, host" The issue is that I need to know durations which is not captured in the events. But I can do... "index=abc sourcetype=xyz message.connID | stats range(_time) as difference". Which provides an individual view of the events with this one unique ID and provides overall event duration. I am trying to find a way to use the initial table as array values, run multiple searches like the one above, to produce a new table where each row has all the table columns and a new column for "duration" based one each unique message.connID. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM