Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you correlate data across two sources with time comparison between events?

blascola
New Member
‎11-16-2018 10:29 AM

I want to create an alert for when a user logs in without badging a door within 8 hours prior. My login logs and door logs are in two separate indexes and source types. I created an alias in both source types so the account name field matches. Is there a way to do a time comparison within an eval similar to eval login=if(login to door time >= 8hrs,bad,good)?

Tags (1)
0 Karma
Reply

laurie_gellatly
Communicator
‎11-18-2018 02:48 PM

http://wiki.splunk.com/Community:UseSplunkForEventCorrelation might help and/or consider using stats.

You might be able to improve on this with a single stats command, but at least this should work and give you the ability to specify different time ranges per index:

index=logins
| stats max(_time) as lt by account 
| join account [ search index=door_time | stats min(_time) as ft by account | fields + ft account] 
| eval duration = lt-ft 
| table duration lt ft account

Assumes that 'account' is your user name that matches in both indexes.

...Laurie:{)

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...