Hello Splunkers, I would like to seek advice on how to the same goal without having to use the join command. This is the current search, with the use of the join command:
index=myidx sourcetype=myapp_log status=startSecurityUpgrade earliest=-6h@h latest=now | eval Start_Time=strftime(_time, "%m/%d/%y %H:%M:%S")
| join host_ip
[search index=idms_sat sourcetype=myapp_log status=sendCode earliest=-6h@h latest=now | eval Enrolled_Time=strftime(_time, "%m/%d/%y %H:%M:%S") ]
| where Enrolled_Time > Start_Time | timechart span=10m count(host_ip)
The problem I have with the above search (join command) is that if the data set is large, the count would become inconsistent.
↧