| eval fillOutTime=(submitTime-retrieveTime)/60īut this only results in a table with IP Addresses and submit times. | stats latest(submitTime) as retrieveTime by ipAdd] Splunk Reviews: What Is It Like to Work At Splunk Glassdoor See All Photos Splunk Engaged Employer Overview 1.5K Reviews 591 Jobs 3.
I've tried the following: index=sys GET form It analyzes semi-structured data and logs generated by various processes with proper. One or more of the fields must be common to each result set. I can't seem to use the time of the first search as the time for the second search Splunk is a program that enables the search and analysis of computer data. Splunk Join The join command is used to combine the results of a sub search with the results of the main search. I want to use the last retrieval time BEFORE the time the form was submitted to get a best estimate of the fill out time. Steps: Open or create a local nf file at SPLUNKHOME/etc/system/local. Sometimes users only retrieve the form once before filling it out, but they might also do it multiple times, even after submitting it. 1 Solution Solution woodcock Esteemed Legend 04-11-2017 06:55 AM Skip join entirely (it has inescapable limits) and do this my saearch OR my second search eval joinercoalesce (column1, column2) stats values () AS BY joiner fields - joiner Just try it before you think it won't work. I'm using their Ip address to identify the user. I'm trying to calculate the avarage time users take to fill out one of our forms. What is the Join Command in Splunk The join command brings together two matching fields from two different indexes.
0 kommentar(er)
