Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can we use Start/End times from a query to get duration to use it in another search query to get an average of a field in that duration ?

MSaraswat
New Member
‎01-07-2018 07:05 AM

I am able to get the Start/End times of a load test execution from a search query (by getting End time from Timestamp (field) of the log data, and subtracting the duration (field) to get Start time.
Now I want to use this Start time, End time and duration between them in another search query with a different sourcetype such that it would fetch all the data inputs falling within that time duration (between Start/End times) from another app logs - to calculate the average/count of a field.
So, please help me in achieving the desired data with the required search queries (using subsearch/joins etc.)

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-07-2018 11:39 PM

Hi MSaraswat,
try something like this

index=my_index1 sourcetype=my_sourcetype1 [ search index=my_index2 sourcetype=my_sourcetype2 | rename Timestamp AS latest | eval earliest=strptime(latest,"time_format")-duration | fields earliest latest ]
| ...

(I don't know the Timestamp field format so you have to customize it).

Bye.
Giuseppe

0 Karma
Reply

micahkemp
Champion
‎01-07-2018 10:20 AM 
[search <your search that creates start/end fields> | rename start AS earliest, end AS latest | table earliest latest] <your new search>

As a run-anywhere example:

[| makeresults | eval start=relative_time(now(), "-10min"), end=relative_time(now(), "-5min") | rename start AS earliest, end AS latest | table earliest latest] index=_internal

Note the run-anywhere example doesn't have search in the subsearch (between the []). This is because makeresults is a generating command. I'm assuming your initial search that calculates start/end will use an indexed search, and the search command that would be assumed in your main search string must be explicitly included inside a subsearch.

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...