joining / subsearching / dual sourcetype for match...

fox · ‎05-10-2010

I have two related sets of data: Errors and CalcRun. The relationship in SQl speak is Many Errors to a CalcRun. When listing an error or set of errors I need to establish the appropriate CalcRun based on the time stamp.

Example:

Errors table:

10:12 error1
10:23 error2
10:34 error3
10:45 error4
10:56 error5

CalcRun table:

09:30 CalcRunA
10:01 CalcRunB
10:40 CalcRunC
10:50 CalcRunD
11:10 CalcRunE

Required 1 table Splunk output results from these two data inputs:

TIME: ERROR: CALCRUN:
10:12 error1 CalcRunB (error after 10:01 & before 10:40 hence B)
10:23 error2 CalcRunB (error after 10:01 & before 10:40 hence B)
10:34 error3 CalcRunB (error after 10:01 & before 10:40 hence B)
10:45 error4 CalcRunC (error after 10:40 & before 10:50 hence C)
10:56 error5 CalcRunD (error after10:50 & no more runs hence D)

This is easy to do in SQL with a cursor, any guidance on how to do this in splunk?

Dan · ‎05-10-2010

I would start with lookups rather than transaction or subsearch. From the Error events, use the _time field to do a temporal lookup for the CalcRun value. This approach will perform well and can be wired to happen automatically. It's all documented here: http://www.splunk.com/base/Documentation/latest/Knowledge/Aboutlookupsandfieldactions

joining / subsearching / dual sourcetype for matching error attibutes

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!