- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to apply two different searches based on the d...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to apply two different searches based on the date of the event?
I have a situation where information about a certain event is logged concurrently to two different files. The information will continue to be logged to two different files, but due to various reasons in logging, one is more accurate before a certain date. I want to apply two different searches depending on the date of the event and have the searches apply the date preset set on the search bar.
(applies before 4/1/2016)
search1: path="/path/to/file1"
(applies after 4/1/2016)
search2: path="/path/to/file2" sourcetype="interesting_event"
The combined search (doesn't work correctly) looks like this:
source="/path/to/file1" latest="4/1/2016:00:00:00" | append [search source="/path/to/file2" sourcetype="interesting_event" earliest="4/1/2016:00:00:00"]
What I would like is when the time frame is set to "Last 15 minutes", it'll return the results from the second search only and when the time frame is set to "Last 30 days", it'll return the appropriate results from both searches.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, did any of the comments below help you on this?
If yes, can you mark it as answered?
If not, is there any else we can do to help?
Unanswered questions make me sad 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what I would do:
(source="/path/to/file1" AND _time <= [
| stats count
| eval time="04/01/2016:00:00:00"
| eval time=strptime(time, "%m/%d/%Y:%H:%M:%S")
| return $time
]
)
OR (source="/path/to/file2" AND sourcetype="interesting_event" AND _time > [
| stats count
| eval time="04/01/2016:00:00:00"
| eval time=strptime(time, "%m/%d/%Y:%H:%M:%S")
| return $time
]
)
And then probably append the following to double check it's behaving as expected:
| timechart count by source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Long story short, you can't do that. Time modifiers in the search will always overrule the time picker. Having said that, what you might be able to do is to use the values of a time picker as tokens.
- You put your search in a dashboard panel and create a new time picker
- You use eval to check the value of the timepicker
- You filter out events that do not meet the requirements from the time picker
You might end up with something like this (please note that this is just an indication, this code will not work but is intended to point you in the right direction):
source="/path/to/file1" latest="4/1/2016:00:00:00" | eval X = if($timepicker.earliest$ > [4/1/2016:00:00:00 in seconds], 0 ,1) | search X=1| append [search source="/path/to/file2" sourcetype="interesting_event" earliest="4/1/2016:00:00:00"]
Although this option might work, and might be useful in you case, I wouldn't recommend it as it is very in efficient, slow and complex.
Another option might be the multisearch command (http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Multisearch ).
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
