Splunk Search

Join two queries by nearby event times

chrisboy68
Contributor

Hi, can't seem to get what I'm looking for working. Here is what I want to do.

Issue a main search of events. Find events around the same time (+/- 10 seconds) around each event of the main search. My result set would be list of events before and after (+/- 10 sec) each main search event.

Any ideas?

Thanks
Chris

Tags (1)
1 Solution

chrisboy68
Contributor

No, but I did now! Thanks! All working. Didnt know about Map.

Chris

0 Karma

chrisboy68
Contributor

Hmm, just noticed I'm not getting the results from the base search. Is there a way I can see both the base search and map search as events?

This is what I'm running.

index=myindex AND sourcetype=mysource AND Name="SYSTEM_ERROR"
| eval start_time=_time-10
| eval end_time=start_time+10
| map search="search index=myindex source="anothersource" earliest=$start_time$ latest=$end_time$"

Thanks

Chris

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yup... Map uses base search as input and it's search as output for the query. I don't of any better way to have to result of both the queries without appending the base search again, as subsearch, at the end.

base search | map search="some search" | append [search base search]
0 Karma

chrisboy68
Contributor

Ok thanks!

Chris

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...