Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Tag events coming from two sources as Potential and False

veerendra_modi
Loves-to-Learn
‎03-27-2019 04:34 AM

I have two sources of events say source_1 and source_2
Both the events are coming to splunk i need to check the id and Timestamp of the event and
if the event coming from both sources at around same time i have to tag it as "Potential" otherwise "False".

The catch is if i get the event at say 3pm from source_1 then my rule should check for the same event from 2:55 to 3:05 for sourcetype_2.
If found tag it as "Potential" otherwise "False".

Please help with this.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...