Fuzzy time range searches and sub-searches.

Hi,

Looking for tips/hints on the best way to extract a value from a sub-search, including the timestamp that the is associated with the value, and perform a search in another index for that value within a fuzzy-ish range around that same timestamp.

Scenario is this:
index foo has an IP address and a time and date. index bar ALSO has IP address, time and date, but contains additional values, such as OS

In meta-search syntax, I'd like to do:

index=bar fuzzyrange=2hr [ search index=foo ip=1.2.3.4 | return ip,timestamp ]

And I'd like Splunk to magically take the timestamp from the subsearch and look for the same IP in the bar index, but with a two hour variation on that timestamp.

Is there an easy way?

asked 06 Jun '12, 17:44

howyagoin
250●1●2●11
accept rate: 55%

One Answer:

oldest newest most voted

0	It sounds very much like you could benefit from using the `localize` command. The docs explain the concept pretty well so I'll just link you there: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Localize link answered 06 Jun '12, 21:55 Ayn 26.0k●3●7●17 accept rate: 41%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

time ×352
subsearch ×223
return ×10

Asked: 06 Jun '12, 17:44

Seen: 635 times

Last updated: 06 Jun '12, 21:55

Fuzzy time range searches and sub-searches.

Follow this question

Splunk Resources

Related questions