Splunk Search

How to define "latest" based on "earliest" in order to act on the group of events happening in a certain duration.

ahuseid
New Member

I have a search challenge where I need to pick a _time from SearchA and look for all the events happening in SearchB within a certain duration (few minutes). When I used "map" in SearchB with "earliest" taken from SearchA and "latest" to be "earliest" plus few minutes, it does not work at all. This is roughly what I used:

index=ABC sourcetype= STypeA | eval st=_time | map search="search index=ABC sourcetype=STypeB user=xyz earliest=$st$ | eval latest=$st$+3600"

Note that both searches do have same index (=ABC)

I appreciate your help.

Thanks.

Tags (3)
0 Karma

woodcock
Esteemed Legend

Try this:

index=ABC sourcetype= STypeA | eval lotime=_time | eval hitime=lotime+3600| map search="search index=ABC sourcetype=STypeB user=xyz earliest=$lotime$ latest=$hitime$"
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...