Solved: Re: Search Time interval

grio · ‎10-26-2010

sourcetype=A earliest=10/21/2010:09:0:0 latest=10/21/2010:09:02:0 OR sourcetype=listener earliest=10/21/2010:08:59:0 latest=10/21/2010:09:03:0 | eval x=case(sourcetype=="A" , 1 , sourcetype=="B",2) | stats sum(x) as x by id | fields x,id | where x==1

hello

I have a search problem

I would like to set two times interval ??

Thank you for your help

chris · ‎10-31-2010

You can concatenate the results of 2 searches by using append and the 2 searches can have different time ranges.

sourcetype=A earliest=-30m latest=-20 | append [search sourcetype=B earliest=-25m latest=-15m]

View solution in original post

gkanapathy · ‎10-31-2010

Your original will work fine if you parenthesize correctly and specify your times in an acceptable format:

(sourcetype=A earliest=10/21/2010:09:00:00 latest=10/21/2010:09:02:00) OR (sourcetype=listener earliest=10/21/2010:08:59:00 latest=10/21/2010:09:03:00)

View solution in original post

gkanapathy · ‎10-31-2010

Your original will work fine if you parenthesize correctly and specify your times in an acceptable format:

(sourcetype=A earliest=10/21/2010:09:00:00 latest=10/21/2010:09:02:00) OR (sourcetype=listener earliest=10/21/2010:08:59:00 latest=10/21/2010:09:03:00)

chris · ‎10-31-2010

You can concatenate the results of 2 searches by using append and the 2 searches can have different time ranges.

sourcetype=A earliest=-30m latest=-20 | append [search sourcetype=B earliest=-25m latest=-15m]

Search Time interval

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?