https://community.splunk.com/t5/Splunk-Search/How-to-make-subsearch-use-same-time-range-same-index-same/m-p/422626#M121359 <P>Then how about the inverse? Does the outer search obey the limits set by the inner search? Will <CODE>earliest</CODE> and <CODE>latest</CODE> be honoured by the outer search if they are not explicitly overridden?</P> Fri, 14 Jun 2019 04:07:14 GMT petenetwork 2019-06-14T04:07:14Z https://community.splunk.com/t5/Splunk-Search/How-to-make-subsearch-use-same-time-range-same-index-same/m-p/422624#M121357 <P>So I specify an outer query, it usually starts like this:</P> <PRE><CODE>earliest=06/14/2019:13:00:00 latest=06/14/2019:14:00:00 index=os sourcetype=ps </CODE></PRE> <P>So far, so good. Now I want to find all PIDs using the same Java command line, e.g.</P> <PRE><CODE>|search [search CMD=java* |table CMD ] </CODE></PRE> <P>Then summarise the results:</P> <PRE><CODE>|stats values(PID) as PIDs by CMD </CODE></PRE> <P>The issue is that my subsearch doesn't seem to default itself to the <CODE>earliest</CODE> and <CODE>latest</CODE> fields I specified at the very beginning of the query. In fact I have to pad my subsearch like this:</P> <PRE><CODE>|search [search earliest=06/14/2019:13:00:00 latest=06/14/2019:14:00:00 index=os sourcetype=ps CMD=java* |table CMD ] </CODE></PRE> <P>This is unnecessarily bulky. And I don't want to have to specify the time range multiple times.</P> <P>How can I make my inner search (the "subsearch") adhere to the <CODE>earliest</CODE> and <CODE>latest</CODE> keywords specified to the outer search?</P> Fri, 14 Jun 2019 03:15:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-subsearch-use-same-time-range-same-index-same/m-p/422624#M121357 petenetwork 2019-06-14T03:15:55Z https://community.splunk.com/t5/Splunk-Search/How-to-make-subsearch-use-same-time-range-same-index-same/m-p/422625#M121358 <P>No, unfortunately. An outer search cannot pass values into a subsearch. Subsearches run before the outer searches so they can't get values that aren't there to begin with.</P> Fri, 14 Jun 2019 03:52:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-subsearch-use-same-time-range-same-index-same/m-p/422625#M121358 ragedsparrow 2019-06-14T03:52:19Z https://community.splunk.com/t5/Splunk-Search/How-to-make-subsearch-use-same-time-range-same-index-same/m-p/422626#M121359 <P>Then how about the inverse? Does the outer search obey the limits set by the inner search? Will <CODE>earliest</CODE> and <CODE>latest</CODE> be honoured by the outer search if they are not explicitly overridden?</P> Fri, 14 Jun 2019 04:07:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-subsearch-use-same-time-range-same-index-same/m-p/422626#M121359 petenetwork 2019-06-14T04:07:14Z https://community.splunk.com/t5/Splunk-Search/How-to-make-subsearch-use-same-time-range-same-index-same/m-p/422627#M121360 <P>It can be done. The way it is done is kind of convoluted. I've never used it myself, but here is a very similar example where it was successfully done:</P> <P><A href="https://answers.splunk.com/answers/136791/use-a-subsearch-to-define-earliest-and-latest-for-main-search.html">https://answers.splunk.com/answers/136791/use-a-subsearch-to-define-earliest-and-latest-for-main-search.html</A></P> <P>You could use this example and build your query off of it to pass the time range from the subsearch to the outer search. I tested the example and it does sucessfully substitute the Outer and Sub search time ranges.</P> Fri, 14 Jun 2019 04:23:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-make-subsearch-use-same-time-range-same-index-same/m-p/422627#M121360 ragedsparrow 2019-06-14T04:23:12Z