Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search for all events that happened one hour before any event from a specific set of events?

lilianwong
Splunk Employee
Splunk Employee
‎04-19-2016 09:39 AM

Let's say there's a specific set of events I'm looking at (Events A). Now I want to write a search to return all events that happened one hour before any event in Events A. How can I do that?

0 Karma
Reply

sundareshr
Legend
‎04-19-2016 06:42 PM

Have you looked at the map command. http://docs.splunk.com/Documentation/Splunk/6.0.6/SearchReference/Map

0 Karma
Reply

jensonthottian
Contributor
‎04-19-2016 09:59 AM

Try this :

Logic - So the sub search does this - when eventA occures we get the time for that and compute earliest as {_time - 1 hour and 2 minutes} and latest as {_time - 1 hour}

index=abc sourcetype=xyz [ search index=abc sourcetype=xyz "EventA"
| eval earliest=_time-3720 | eval latest=_time-3600 | fields src_ip earliest latest | FORMAT "(" "(" "" ")" "OR" ")" ]
0 Karma
Reply

lilianwong
Splunk Employee
Splunk Employee
‎06-24-2016 11:19 AM

Thank you. What's the FORMAT function for?

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...