×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
robert_vincent
Engager
Member since: ‎05-22-2013
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎05-22-2013
Activity Feed
View All

Re: Index-time extraction of multiple timestamps f...

by in Getting Data In
‎08-09-2013 01:16 AM
‎08-09-2013 01:16 AM
You do not normally need to extract anything at index-time. You can make your comparisons with search-time extracted data. Don't know what you really want to do, and what the transaction is used for, but if max-execution-time is in seconds, the logic/math will be rather simple. Current time (when the search starts) can be found via now() . ...| eval XXX = _time + max-execution-time | eval YYY = if(XXX > now() AND next-timestamp < now(),"apple", "orange") Perhaps you want to also look at the dedup command to let you only get the most recent event for some field. See; http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/CommonEvalFunctions Some more explanation and a few sample events would let people here understand your problem better and be able to help you more. /K ... View more

Re: What kind of forwarder do I have?

by in Getting Data In
‎10-13-2016 11:27 PM
‎10-13-2016 11:27 PM
I typed that too early.. Little search and I was able to find it. index=_internal source=*metrics.log group=udpin_connections | dedup sourcePort ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All