Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to create a search based on timestamps from another search?

YoungDaniel
Path Finder
‎12-16-2015 05:04 AM

Hi,

My issue is I have two different searches,
first: index=test user=test document=*
second: index=test2 user=test src=home action=view

What I would like to do is gather the timestamps from the first search and add them as a condition for the second search. I would also like to shorten the timestamp to the current hour so I can get the view actions that happen before and after there was a document value.
Is there any way of doing this in Splunk?

0 Karma
Reply

woodcock
Esteemed Legend
‎12-17-2015 10:56 AM

Take a look at this question and answer that shows how to use the map command to use times from one search in another search:

https://answers.splunk.com/answers/232781/find-all-events-of-type-x-that-do-not-have-an-even.html

Reply

sundareshr
Legend
‎12-16-2015 08:23 AM

Have you looked at the map command? That may be what you are looking for.

Reply

jkat54
SplunkTrust
SplunkTrust
‎12-16-2015 05:20 AM

Youll need a main search where you rename _time to another field using eval, and then you'll pass that field to either a subsearch or appendcols, etc to bring in the data where _time is greater than the new datetimestamp you created in the main search.

something like this

index=test user=test document=* | eval firstDate=_time | eval lastDate=_time+86400 | table firstDate, lastDate | appendcols [search index=test2 user=test src=home action=view | where lastDate < _time > firstDate | table fieldNames]

maybe break the where into two where statements so you can do the greater than this less than that.

0 Karma
Reply

YoungDaniel
Path Finder
‎12-16-2015 06:47 AM

Thank you for all your help!
I still cant seem to get it right, but I did notice that Both indexes have the same date_month, date_mday and date_year fields, is there any way that i could use these fields with the Where command?
i.e index=test user=test document=* <-- should return all event where there is a document--> | table date_mday date_year document
and then run a sub search on
index=test2 user=test src=home action=view |where date_mday =date_mday(1) |where date_year = date_year(1) | table user otherindexspecfields

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...