×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
szabolcs
Explorer
Member since: ‎07-15-2021
‎07-19-2021
Community Statistics
Posts 3
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎07-15-2021
Activity Feed
Topics I've Started
View All

Re: Join with calculated earliest

by in Splunk Search
‎07-19-2021 04:26 AM
‎07-19-2021 04:26 AM
This became a bit more complex than I had expected, but it works after taking care of the multivalue fields. Thanks again. ... View more

Re: Join with calculated earliest

by in Splunk Search
‎07-16-2021 01:00 AM
‎07-16-2021 01:00 AM
Thanks, that is a great idea! The following seems to be mostly working. index="..." sourcetype="..." someField=someValue [search index="..." sourcetype="..." myField=abc | sort -_time | head 1 | eval earliest=(collectionTimeEpoch-maxDurationInSeconds) | stats min(earlliest) as earliest] | join id [search index="..." sourcetype="..." myField=abc | sort -_time | head 1 | eval itemList=split(items,",") | mvexpand itemList | rex field=itemList "(?<id>[-\w\d]+)#content=(?<content>[-\w\d]+)" | eval earliest=(collectionTimeEpoch-maxDurationInSeconds)] The only problem is that Splunk does not support right(or full outer) join so if the main search does not find the value, I won't see the result of the subsearch either.  ... View more

Join with calculated earliest

by in Splunk Search
‎07-16-2021 12:07 AM
‎07-16-2021 12:07 AM
Hi, I don't know if it is possible, but I would like to specify the time range of a join subsearch from a calculated value. I have a similar log record and query: Log record:   myField=abc, collectionTimeEpoch=1626358999, maxDurationInSeconds=10, items=[id=00000000-00000000-00000000-00000000#content=123,id=myId2#content=456]   The query is similar to the following:   index="..." sourcetype="..." myField=abc | sort -_time | head 1 | eval itemList=split(items,",") | mvexpand itemList | rex field=itemList "(?<id>[-\w\d]+)#content=(?<content>[-\w\d]+)" | eval start=(collectionTimeEpoch-maxDurationInSeconds) | join type=left id [search earliest=-2d@d index="..." sourcetype="..." someField=someValue ]   I would like to replace earliest=-2d@d  to something like earliest=start, but that is not working. I have also tried   | join type=left id [search earliest=[stats count | eval earliest=(collectionTimeEpoch-maxDurationInSeconds) |fields earliest ] index="..." sourcetype="..." someField=someValue ]   Could you help me with this? Thanks in advance ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-19-2021 12:56 PM
Karma given to
View All