Solved: Why does a join of a search and subsearch on _time...

manus · ‎09-10-2014

I tried to join a search and subsearch on _time with the join command, but this failed, even though the resulting time values matched. Why did this happen?

manus · ‎09-10-2014

A join on _time can fail even if the epoch values match. The failure is caused if one epoch _time value has a numeric format with decimal places and the other does not.

Example:
If on left side, you have _time=1405206000

and on right side, you have _time=1405206000.000

the join will fail, even if on screen you will see the same value on both sides: 2014-07-13 00:00:00

If you first timestamp is always precise to the second and no more, here is how you can make your join safer:

eval _time=round(_time,0) on the right side.

View solution in original post

ppablo · ‎09-10-2014

Just edited the entire post to fit the Q&A format 🙂 Thanks for posting @manus. I think others will find this content useful

Patrick

manus · ‎09-10-2014

Well yes, initially, I wanted to ask about my problem on joining on time... but then I figured it out, so I thought I would share the reply, even though I don't have a question anymore

manus · ‎09-10-2014

A join on _time can fail even if the epoch values match. The failure is caused if one epoch _time value has a numeric format with decimal places and the other does not.

Example:
If on left side, you have _time=1405206000

and on right side, you have _time=1405206000.000

the join will fail, even if on screen you will see the same value on both sides: 2014-07-13 00:00:00

If you first timestamp is always precise to the second and no more, here is how you can make your join safer:

eval _time=round(_time,0) on the right side.

lguinn2 · ‎09-10-2014

Did you have a question?

Why does a join of a search and subsearch on _time with matching values fail?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!