Check if a measurement is between startTime and en...

dgriffioen · ‎04-06-2019

Hi,

I have 2 indexes.

measurements - list of all measurements ( _time, transactionId, transTime, resultStatus)
incidents - list of incidents ( _time, transactionId, incidentId, startTime, endTime, valid, checked, comment)

_time in the incidents table is the time that the incident is inserted into Splunk.

i would like to check for each measurement if it was between the startTime and endTime of a valid incident on that transaction and add a field "availability" with 0 if it was in an incident and 1 if it was not to each measurement.

i tried things with map command and join but i cant find the right approach. please help:)

thanks!

dgriffioen · ‎04-10-2019

I have found another angle to this problem so i`m not trying to get this done anymore. im now keeping the incidents separated and calculating duration of incidents, filtering etc. there instead of trying to tie all incidents to a measurement and get one overview of everything. Thanks.

burwell · ‎04-07-2019

I don't have a complete answer. I think you want to avoid doing a join especially if your incident table gets big as Splunk joins are quite limited (currently.)

Seems like what you might want is an automatic lookup at search time: https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/DefineanautomaticlookupinSplunkWeb

woodcock · ‎04-07-2019

Show us your searches!!!

Check if a measurement is between startTime and endTime of an incident

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases