Pass a variable form subsearch but it should not b...

max_jay · ‎05-24-2018

I have two logs. First log contain start date and end date in second log.
First log query :
index=abc sourcetype=abc_agent_perf | eval sourceCreateDate=strptime(TimestampStart,"%Y-%m-%d %H:%M:%S”)

Second log query:
index=abc sourcetype=abcperf | eval endDate=strptime(CreateDateTime,"%Y-%m-%dT%H:%M:%S.%3NZ")

Both logs have GUID in common. But its ParentEventGUID in second and EventGUID in first. So have modified second query.
index=abc sourcetype=abcperf | eval endDate=strptime(CreateDateTime,"%Y-%m-%dT%H:%M:%S.%3NZ") | rename ParentEventGUID as EventGUID

I used subquery to combine both search.
index=abc sourcetype=abc_agent_perf [index=abc sourcetype=abcperf | eval endDate=strptime(CreateDateTime,"%Y-%m-%dT%H:%M:%S.%3NZ") | rename ParentEventGUID as EventGUID | fields + EventGUID ]| eval endDate=strptime(CreateDateTime,"%Y-%m-%dT%H:%M:%S.%3NZ")

But am not able to send endDate. If i send endDate from subquery because it is considered as search field and no result are returned.
I have to calculate difference between start and end date and plot a timechart graph.

Please let us know how to pass endDate without considered as search criteria. If there is another way, please point me in that direction.

Thanks in advance!

Pass a variable form subsearch but it should not be used in parent search.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!