Hi,
My issue is i have two different searches,
first: index=test user=test document=*
second: index=test2 user=test src=home action=view
what I would like to do is gather the timestamps from the first search, and add them as a condition for the second search, I would also like to shorten the timestamp to the current hour so I can get the view actions that happen before and after there was a document value.
Is there any way of doing this in Splunk?
↧