×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mchuli934
Loves-to-Learn Lots
Member since: ‎07-12-2022
‎07-13-2022
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎07-12-2022
View All

Re: Any idea about the query optimization with usi...

by in Splunk Search
‎07-12-2022 07:24 PM
‎07-12-2022 07:24 PM
Thanks for the reply. I will try the method you sent here first and I have a question how do you use this method to make sure the two events(one with objectname c and one with object a or b) they happen close.   And I am thinking about not using time difference to locate the most close event(with ObjectName C) and (with ObjectName A or B) . Thanks!   ... View more

Any idea about the query optimization with using j...

by in Splunk Search
‎07-12-2022 04:28 PM
‎07-12-2022 04:28 PM
Hi,  I am trying to get all events with two different kinds of objectname(A or B vs C) but with the same username and their access time should be close.  The accessTime of events with Objectname C should be happen just after the events with  Objectname A or B.  Here is my current query: index=index1 host=host1 ObjectName=A OR ObjectName=B |rename accessTime AS accTime1 | eval ptime=strptime(accTime1,"%Y-%m-%d %H:%M:%S") | join userName [ search index=index1 ObjectName=C | rename accessTime AS accTime2 | eval itime=strptime(accTime2,"%Y-%m-%d %H:%M:%S") ] | eval diff=abs(ptime-itime)/60 |appendpipe [|search diff<2] | timechart span=1day dc(userName) is there any way can help me optimize this query since when the search time window become to be 1 months or more, the subsearch limitations will influence the search result. Thanks! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-13-2022 12:30 AM