https://community.splunk.com/t5/Splunk-Search/Using-multiple-time-range-on-the-same-index-to-return-different/m-p/495363#M138107 <P>Hello all,</P> <P>I have a report that searches for differents time range like Year to now, Month to now, Last 5 days and last 24 hrs.</P> <P>The current search is:</P> <PRE><CODE>search index | stats sum(FAIL) as "Failures", sum(PASS) as "Passed", sum(TOTAL) as "Total" | eval "Date" = "Last 24 hrs" | append [ search "same search index" earliest=-5d@d latest=now() | stats sum(FAIL) as "Failures", sum(PASS) as "Passed", sum(TOTAL) as "Total" | eval "Date" = "Last 5 days"] | append [ search "same search index" earliest=-0mon@mon latest=now() | stats sum(FAIL) as "Failures", sum(PASS) as "Passed", sum(TOTAL) as "Total" | eval "Date" = "Month to now"] | append [ search "same search index" earliest=-0year@year latest=now() | stats sum(FAIL) as "Failures", sum(PASS) as "Passed", sum(TOTAL) as "Total", earliest(_time) as "Date" | convert timeformat="%m/%d/%Y" ctime("Date") as "Date" | eval "Date" = "Year to now - ".'Date'] | table "Date", "Failures", "Passed", "Total" </CODE></PRE> <P>The final result is a table with 4 rows in it. Containing Last 24 hours, Last 5 days, Month to now and Year to now results.</P> <P>So the problem that I'm currently facing is sometimes the Year to now results, returns a different Date like 01/27/2020. It's supposed to be the first day of the current year.</P> <P>The Job Inspect tells me that the append command is consuming a lot of time to be completed.</P> <P>Is it possible to do the longest search (Year to now) and have multiples stats commands by different time range to get the final result or a way to improve this search?</P> <P>Thanks for all your help.</P> Fri, 08 May 2020 12:06:29 GMT egonstep 2020-05-08T12:06:29Z https://community.splunk.com/t5/Splunk-Search/Using-multiple-time-range-on-the-same-index-to-return-different/m-p/495363#M138107 <P>Hello all,</P> <P>I have a report that searches for differents time range like Year to now, Month to now, Last 5 days and last 24 hrs.</P> <P>The current search is:</P> <PRE><CODE>search index | stats sum(FAIL) as "Failures", sum(PASS) as "Passed", sum(TOTAL) as "Total" | eval "Date" = "Last 24 hrs" | append [ search "same search index" earliest=-5d@d latest=now() | stats sum(FAIL) as "Failures", sum(PASS) as "Passed", sum(TOTAL) as "Total" | eval "Date" = "Last 5 days"] | append [ search "same search index" earliest=-0mon@mon latest=now() | stats sum(FAIL) as "Failures", sum(PASS) as "Passed", sum(TOTAL) as "Total" | eval "Date" = "Month to now"] | append [ search "same search index" earliest=-0year@year latest=now() | stats sum(FAIL) as "Failures", sum(PASS) as "Passed", sum(TOTAL) as "Total", earliest(_time) as "Date" | convert timeformat="%m/%d/%Y" ctime("Date") as "Date" | eval "Date" = "Year to now - ".'Date'] | table "Date", "Failures", "Passed", "Total" </CODE></PRE> <P>The final result is a table with 4 rows in it. Containing Last 24 hours, Last 5 days, Month to now and Year to now results.</P> <P>So the problem that I'm currently facing is sometimes the Year to now results, returns a different Date like 01/27/2020. It's supposed to be the first day of the current year.</P> <P>The Job Inspect tells me that the append command is consuming a lot of time to be completed.</P> <P>Is it possible to do the longest search (Year to now) and have multiples stats commands by different time range to get the final result or a way to improve this search?</P> <P>Thanks for all your help.</P> Fri, 08 May 2020 12:06:29 GMT https://community.splunk.com/t5/Splunk-Search/Using-multiple-time-range-on-the-same-index-to-return-different/m-p/495363#M138107 egonstep 2020-05-08T12:06:29Z https://community.splunk.com/t5/Splunk-Search/Using-multiple-time-range-on-the-same-index-to-return-different/m-p/495364#M138108 <P>Hi @egonstep,</P> <P>I created this hack earlier which might be helpful here. So It gives you behavior where you have multiple searches as your basesearch and then you combine all those search results into one search. Which is as follows:</P> <P><STRONG>Step 1</STRONG>: Define your searches as follows:</P> <PRE><CODE>&lt;search&gt; &lt;query&gt;index="X" | stats count | eval "search name"="search1"&lt;/query&gt; &lt;earliest&gt;-24h&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;done&gt; &lt;set token="search1_sid"&gt;$job.sid$&lt;/set&gt; &lt;/done&gt; &lt;/search&gt; &lt;search&gt; &lt;query&gt;index="Y" | stats count | eval "search name"="search2"&lt;/query&gt; &lt;earliest&gt;-7d&lt;/earliest&gt; &lt;latest&gt;now&lt;/latest&gt; &lt;done&gt; &lt;set token="search2_sid"&gt;$job.sid$&lt;/set&gt; &lt;/done&gt; &lt;/search&gt; </CODE></PRE> <P><STRONG>Step 2</STRONG>: Now the <CODE>sid</CODE>s will set when the searches are finished execution. Use them in the main search with <CODE>loadjob</CODE> command as follows:</P> <PRE><CODE>| loadjob $search1_sid$ | append [| loadjob $search2_sid$ ] </CODE></PRE> <P>As the searches ran parallel (having separate job for each search) and the results in the main search are fetched directly from the job <CODE>sid</CODE>, this way you can combine results of long-running searches without affecting them by <CODE>append</CODE> as before.</P> <P><STRONG>Edit</STRONG>: You can also split the search across multiple report searches.</P> <P>Hope this was helpful.</P> <P>Thanks,<BR /> Harsh</P> Fri, 08 May 2020 13:43:40 GMT https://community.splunk.com/t5/Splunk-Search/Using-multiple-time-range-on-the-same-index-to-return-different/m-p/495364#M138108 harshpatel 2020-05-08T13:43:40Z https://community.splunk.com/t5/Splunk-Search/Using-multiple-time-range-on-the-same-index-to-return-different/m-p/495365#M138109 <P>Hey harshpatel, thanks for your answer.</P> <P>But I have a question, this is to create a new dashboard to be sent as pdf, right?</P> Tue, 12 May 2020 11:59:04 GMT https://community.splunk.com/t5/Splunk-Search/Using-multiple-time-range-on-the-same-index-to-return-different/m-p/495365#M138109 egonstep 2020-05-12T11:59:04Z https://community.splunk.com/t5/Splunk-Search/Using-multiple-time-range-on-the-same-index-to-return-different/m-p/495366#M138110 <P>@egonstep, Yes it requires creating a dashboard. Also I've added an edit saying you can create multiple savedsearch as well like this. You can specify savedsearch name to <CODE>loadjob</CODE> command as well in your report search. For documentation (<A href="https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Loadjob">https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Loadjob</A>).</P> Tue, 12 May 2020 16:40:36 GMT https://community.splunk.com/t5/Splunk-Search/Using-multiple-time-range-on-the-same-index-to-return-different/m-p/495366#M138110 harshpatel 2020-05-12T16:40:36Z https://community.splunk.com/t5/Splunk-Search/Using-multiple-time-range-on-the-same-index-to-return-different/m-p/495367#M138111 <P>@harshpatel I see, thanks for the help, I'll try to create this way to see if everything works just fine.</P> Tue, 12 May 2020 20:07:48 GMT https://community.splunk.com/t5/Splunk-Search/Using-multiple-time-range-on-the-same-index-to-return-different/m-p/495367#M138111 egonstep 2020-05-12T20:07:48Z https://community.splunk.com/t5/Splunk-Search/Using-multiple-time-range-on-the-same-index-to-return-different/m-p/611544#M212622 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/156506">@harshpatel</a>&nbsp;could you provide the full dashboard code example? I was not able to successfully use this approach</P> Thu, 01 Sep 2022 06:43:08 GMT https://community.splunk.com/t5/Splunk-Search/Using-multiple-time-range-on-the-same-index-to-return-different/m-p/611544#M212622 BenTreeser 2022-09-01T06:43:08Z