Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Check if a measurement is between startTime and endTime of an incident

dgriffioen
Engager
‎04-06-2019 02:46 AM

Hi,

I have 2 indexes.

measurements - list of all measurements ( _time, transactionId, transTime, resultStatus)
incidents - list of incidents ( _time, transactionId, incidentId, startTime, endTime, valid, checked, comment)

_time in the incidents table is the time that the incident is inserted into Splunk.

i would like to check for each measurement if it was between the startTime and endTime of a valid incident on that transaction and add a field "availability" with 0 if it was in an incident and 1 if it was not to each measurement.

i tried things with map command and join but i cant find the right approach. please help:)

thanks!

Tags (1)
0 Karma
Reply

dgriffioen
Engager
‎04-10-2019 12:44 PM

I have found another angle to this problem so i`m not trying to get this done anymore. im now keeping the incidents separated and calculating duration of incidents, filtering etc. there instead of trying to tie all incidents to a measurement and get one overview of everything. Thanks.

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎04-07-2019 05:58 PM

I don't have a complete answer. I think you want to avoid doing a join especially if your incident table gets big as Splunk joins are quite limited (currently.)

Seems like what you might want is an automatic lookup at search time: https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/DefineanautomaticlookupinSplunkWeb

0 Karma
Reply

woodcock
Esteemed Legend
‎04-07-2019 08:04 AM

Show us your searches!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...