topic Re: Time modifiers in second search after pipe in Splunk Search

Time modifiers in second search after pipe

adamguzek — Thu, 08 May 2014 14:37:44 GMT

On data with recent timestamps I do search:

index=test * | search earliest="1/1/1990:20:00:00"

No results found, but I was expecting all my events.

Yes I do need this timemodifier in my second search I want to narrow time appending search one after another...

Re: Time modifiers in second search after pipe

Ayn — Thu, 08 May 2014 14:41:59 GMT

First of all, that's no subsearch, that's just a second search further along the main search pipeline.

Anyway, specifying earliest is only supported in the base search. If you do

index=test earliest="1/1/1990:20:00:00"

you should be getting all your events after the specified time (as long as your time string is correctly formatted, which I admin I haven't checked).

Re: Time modifiers in second search after pipe

adamguzek — Thu, 08 May 2014 14:47:04 GMT

Can I use other time modifiers in second search - is it only earliest/latest problematic?

Re: Time modifiers in second search after pipe

martin_mueller — Thu, 08 May 2014 17:31:16 GMT

Time modifiers such as earliest only make sense in the first instance of search where events are loaded. Afterwards, you can still do filtering like this:

index=test | some magic stuff | where _time > relative_time(now(), "-10y")
index=test | some magic stuff | where _time > strptime("1990-01-01T20:00:00", "%FT%T")