Splunk Search

How to run a multi search with a dynamic calculated time frame

lukepatrick
Explorer

I have an existing search that finds "RunDate" "StartTime" "EndTime" stored as part of test run summaries. The search then proceeds to convert those time values into usable Unix, via strptime.

index="IDX1" sourcetype="SRC" ProjectName="PRJ" | eval stime = strptime(StartTime,"%m/%d/%Y %I:%M:%S %p") | eval etime = strptime(EndTime,"%m/%d/%Y %I:%M:%S %p") | table RunDate stime etime | sort RunDate desc

Now is the tricky part...
I would like a 4th column that uses the time frame in each row to perform a calculation on values coming from a different source.

index="IDX2" "HOST" "data.metricId" IN (1234) | stats avg("data.metricValues{}.value") as average | eval total=average/100 

Somehow, this needs to be time constrained by "earliest=stime" & "latest=etime" for each RunDate (the results should be a series)

Is this possible? To run a secondary search/eval, using calculated values from the primary search as the earliest and latest time constraints?

0 Karma

lukepatrick
Explorer

Sorry to dig this back up, I will start a new thread if needed.

The above doesn't work, I believe, because there is no field in common between the two searches. I am not sure map search will work, but I am open to trying other variations of this.

0 Karma

woodcock
Esteemed Legend

This is possible, but dangerous at scale; there is a very good reason that map defaults to maxsearches=10. Try this:

index="IDX1" AND sourcetype="SRC" AND ProjectName="PRJ"
| eval stime = strptime(StartTime,"%m/%d/%Y %I:%M:%S %p")
| eval etime = strptime(EndTime,"%m/%d/%Y %I:%M:%S %p")
| table RunDate stime etime
| sort 0 - RunDate
| map search="search index=\"IDX2\" AND \"HOST\" AND \"data.metricId\" IN(1234) earliest=$stime$ latest=$etime$
| stats avg(\"data.metricValues{}.value\") AS average
| eval total = average / 100"
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...