topic Multiple time frame search with one of the time frames not utilizing brackets within a macro in Knowledge Management https://community.splunk.com/t5/Knowledge-Management/Multiple-time-frame-search-with-one-of-the-time-frames-not/m-p/483860#M4316 <P>I have a solution that uses api called macros that prefix the time frame to the search.</P> <P>ie. earliest="03/14/2019:00:00:00" latest="03/14/2019:23:59:59" <CODE>my_report(sample)</CODE></P> <P>I need to modify this macro to search two different datasets for two different time spans (one summary, the other near realtime raw).</P> <P>The idea being that I can stitch the summary and raw together to create an up to the minute report.</P> <P>Contents of my_report macro<BR /> index=old_summary_data $token1$ OR (index=new_raw_data earliest=@d latest=now $sample$)</P> <P>My expanded macro becomes this </P> <P>earliest="03/14/2019:00:00:00" latest="03/14/2019:23:59:59" index=old_summary_data $token1$ OR (index=new_raw_data earliest=@d latest=now $sample$)</P> <P>This will fail </P> <P><EM>Error in 'litsearch' command: Unable to parse the search: Invalid time bounds in search: start=1568869200 &gt; end=1568865600.</EM></P> <P>This is due to not having a bracket preceeding the first "earliest" as per splunk docs : <BR /> (<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers</A>) </P> <P>example.(earliest="1/22/2018:17:00:00" latest="1/22/2018:18:00:00") OR (earliest="1/22/2018:19:00:00" latest="1/22/2018:20:00:00")</P> <P>Is there any way I can make a non-bracketed time frame and query honor the </P> <P>earliest="03/14/2019:00:00:00" latest="03/14/2019:23:59:59" index=old_summary_data $token1$ OR (index=new_raw_data earliest=@d latest=now $sample$)</P> Wed, 30 Sep 2020 02:13:46 GMT Lucas_K 2020-09-30T02:13:46Z Multiple time frame search with one of the time frames not utilizing brackets within a macro https://community.splunk.com/t5/Knowledge-Management/Multiple-time-frame-search-with-one-of-the-time-frames-not/m-p/483860#M4316 <P>I have a solution that uses api called macros that prefix the time frame to the search.</P> <P>ie. earliest="03/14/2019:00:00:00" latest="03/14/2019:23:59:59" <CODE>my_report(sample)</CODE></P> <P>I need to modify this macro to search two different datasets for two different time spans (one summary, the other near realtime raw).</P> <P>The idea being that I can stitch the summary and raw together to create an up to the minute report.</P> <P>Contents of my_report macro<BR /> index=old_summary_data $token1$ OR (index=new_raw_data earliest=@d latest=now $sample$)</P> <P>My expanded macro becomes this </P> <P>earliest="03/14/2019:00:00:00" latest="03/14/2019:23:59:59" index=old_summary_data $token1$ OR (index=new_raw_data earliest=@d latest=now $sample$)</P> <P>This will fail </P> <P><EM>Error in 'litsearch' command: Unable to parse the search: Invalid time bounds in search: start=1568869200 &gt; end=1568865600.</EM></P> <P>This is due to not having a bracket preceeding the first "earliest" as per splunk docs : <BR /> (<A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers</A>) </P> <P>example.(earliest="1/22/2018:17:00:00" latest="1/22/2018:18:00:00") OR (earliest="1/22/2018:19:00:00" latest="1/22/2018:20:00:00")</P> <P>Is there any way I can make a non-bracketed time frame and query honor the </P> <P>earliest="03/14/2019:00:00:00" latest="03/14/2019:23:59:59" index=old_summary_data $token1$ OR (index=new_raw_data earliest=@d latest=now $sample$)</P> Wed, 30 Sep 2020 02:13:46 GMT https://community.splunk.com/t5/Knowledge-Management/Multiple-time-frame-search-with-one-of-the-time-frames-not/m-p/483860#M4316 Lucas_K 2020-09-30T02:13:46Z