Splunk Search

problem with the nearest time range

abhayneilam
Contributor

Hi,

I have two files and I want to co-relate based on the "Time Field". Problem is that "Time Field" is not having the same value in both the files, Manually I just take one time from file A and find out the nearest time from second file and put all the values.

Is it possible in SPLUNK to just match the event with the nearest time ( if excat time is not defined ) ...

Please help in this regards,

Thanks in-advance,
Abhay

Tags (3)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You could use the approach of comparing floating point numbers with each other. There, you do not test floatA == floatB because rounding errors and other nastiness may lead to two different values while mathematically both would be equal. Instead, you define a tolerance within which two values are considered equal: abs(floatA - floatB) < tolerance. How large the tolerance should be depends on the specific use case.

In your situation you could do the same, not look for equal timestamps but rather look for timestamps that are "almost equal". To put some numbers to it, if you get two files every hour but they're off by up to a minute you would not get them with equality but would get them with a tolerance of a minute.

That relies on the tolerance being smaller than the gap between unrelated events of course. Ideally, you would have another means of correlating the two files as Drainy mentioned.

0 Karma

Drainy
Champion

Can you try explaining that again? How do you know they are related if the time doesn't match? Is there another relation you aren't explaining. Have you considered paying for Splunk training? This community is great at helping people learn and overcome challenges but a lot of your challenges are, "How do I do this basic task that is listed in the Splunk documents?"
That suggests that you need to either read the tutorials or pay for training. Of course this may not apply to this question as I can't figure out your problem 🙂

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...