Hi everybody,
I am trying to write a query which fetches the start and end time of an event log error and use that time period to get the total loss due to the error. Fetching the start and end time is done using a subsearch and the parent query uses this data to find the total loss
Tried running the parent query independently(by hardcoding the subsearch result) and the subsearch query independently and they work fine. However when I tried to merge them together, splunk does not return any results.
sourcetype="source" "Error Log" | stats min(_time) as MySTime max(_time) as MyETime | Eval MyStartTime = strftime(MySTime, "%Y-%m-%d %H:%M:%S") |EVAL MyEndTime = strftime(MyETime, "%Y-%m-%d %H:%M:%S") | fields MyStartTime, MyEndTime, Total [Search earliest="6/12/2013:00:00:00" latest="6/12/2013:06:00:00" sourcetype="source-2" ACTION_TYPE=5 | EVAL Amount = (QUANTITY * PRODUCT_PRICE) | stats Sum(Amount) as Total | where strftime(ACTION_TIME, "%Y-%m-%d %H:%M:%S") >= "2013-06-12 00:00:00" |fields + Total |Return Total]
Can someone please help us urgently.
... View more