Solved: Display value from field if value from other field...

jbesant · ‎07-08-2014

Hello, I am after some help to define the search that will display a list of field values if the value in another field changes from one value to another within a certain time frame

For example, I want to see the value of the field ID if the value of the field Loc changes from ABC to DEF within 30 minutes.

Thanks in advance.

somesoni2 · ‎07-08-2014

My guess will be that You could try transaction command on the ID field. May be something like this

your base search | transaction ID maxspan=30m startswith=ID=ABC endswith=ID=DEF | table your fields

View solution in original post

somesoni2 · ‎07-08-2014

My guess will be that You could try transaction command on the ID field. May be something like this

your base search | transaction ID maxspan=30m startswith=ID=ABC endswith=ID=DEF | table your fields

jbesant · ‎07-09-2014

Thanks. I made a small modification and that gave me exactly what I wanted. It showed all the locations (Loc) within the 30 minutes time window of the ID. Appreciated.

my search | transaction ID maxspan=30m startswith=Loc=ABC endswith=Loc=DEF | table ID Loc

Display value from field if value from other field changes within x mins

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life