cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Peely
Explorer
Member since: ‎11-18-2020
‎07-15-2021
Community Statistics
Posts 5
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎11-18-2020
Activity Feed
View All

Re: Join two rows and compare fields

by in Getting Data In
‎07-14-2021 06:34 AM
‎07-14-2021 06:34 AM
`mvindex` was the missing piece! Thank you very much. My final query was in the form of   index=*(action=start) | eval singleTimestamp=mvindex(timestamp, 1) | eval start_time=singleTimestamp | join correlationId [ search index=* action=end | eval singleTimestamp=mvindex(timestamp, 1) | eval end_time=singleTimestamp ] | eval endTime=strptime(end_time,"%Y-%m-%dT%H:%M:%S.%3N%Z"), startTime=strptime(start_time,"%Y-%m-%dT%H:%M:%S.%3N%Z") | eval timeTaken=floor((endTime-startTime)*1000)   ... View more

Re: Join two rows and compare fields

by in Getting Data In
‎07-13-2021 07:33 AM
‎07-13-2021 07:33 AM
Ok cool, I didn't know that! So I think that takes me a step closer but I'm still not getting a value for `timeTaken` in the result. I think my input timestamps have multiple values (though they shouldn't), would that effect it? See attached a screenshot of the Splunk GUI showing one of the timestamps on one of the input events.   ... View more

Join two rows and compare fields

by in Getting Data In
‎07-13-2021 06:32 AM
‎07-13-2021 06:32 AM
I feel i'm so close, but can't quite make it work. I've tried map and am now trying a sub search (I think it's a sub search). I'm trying to get the time difference between two events, but now using the "_time" field, instead using a timestamp field of my own. My events look something like this   {     action: "start",     correlationId:"_GUID_",     timestamp: "2021-07-13T03:44:46.100Z" } {     action: "end",     correlationId:"_GUID_",     timestamp: "2021-07-13T03:44:46.260Z" }     And my query so far is index=* action=start | eval start_time=timestamp | join correlationId [ search index=action=end | eval end_time=timestamp ] | eval timeTaken=end_time-start_time But timeTaken is never populated. It seams my `timestamp` field has a "none" in it as well as a timestamp, but i'm not sure why as the raw text does not have any spaces or anything.   I also tried a selfjoin, that overwrite the first `timestamp` with the second one, and a map, which came back with no results.  ... View more
Labels

Re: Asterix search returns nothing

by in Splunk Search
‎11-19-2020 11:17 AM
‎11-19-2020 11:17 AM
Wow, amazing, that was it. I would have never found that setting, thank you. ... View more

Asterix search returns nothing

by in Splunk Search
‎11-18-2020 01:36 PM
‎11-18-2020 01:36 PM
When I first setup Splunk on my local machine (Playing around with it as I learn it), I could search for '*' and get shown all events for the time period. Then suddenly, I got no data back. I thought my events were lost. After lots of container deletes and creation ( Running in Docker), I eventually realised that my data was their, but ONLY when i searched for it exactly. What is going on? This is an image of four searches, but only the specific ones return data. Why has '*' stopped working? https://imgur.com/a/CYBJcHJ ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-15-2021 05:24 AM
Karma given to
View All