|
I'm pretty new to this so if this is a newbie question I apologize. I'm doing a search against a set of log files (i.e. xyz.log). Each event, or record, contains an operation id and a timestamp(down to millisecond), among other things. So, I need no more in the search, UNLESS, the operation is MOVE. If the operation is MOVE, then I need to search for events in another log (abc.log) that have nearly the same time stamp, say, within 500 milliseconds, and display as well. |
|
Sounds like a pattern that could be accomplished with This would work best if there was some common value (other than time) linking the MOVE event to the abc.log events. |
|
You can use subsearch. It is extremely common, but also not the most intuitive to write: There's no need for an A search like this is featured on the Splunk Mug, the "What were you doing around the time of the murders?" query. So, how do we get a mug? This I can use! I have too many Splunk t-shirts that only seem to come in size L and are way to big for me. :)
(27 May '11, 03:34)
Glenn
Wouldn't this provide me with data for ONLY MOVE operations?
(27 May '11, 05:55)
dolfantimmy
What I mean is, I need to have all operations from xyz.log displayed, not just MOVE operations, but should only need to grab data from abc.log if the operation is MOVE. Also, forgive my ignorance, but I get an error when using the syntax you provided. |earliest=my_timestamp_var tells me it doesn't know what earliest is, same with latest.
(27 May '11, 08:18)
dolfantimmy
|
