https://community.splunk.com/t5/Splunk-Search/How-Can-I-search-retrospectively-in-splunk/m-p/673787#M230687 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263893">@darkhorse91</a>&nbsp;,</P><P>you could use join command but I don't hint because you'll have a very slow search.</P><P>Otherwise, you could run something like this:</P><LI-CODE lang="markup">(index=retrospective earliest=-30d latest=now) OR (index=current earliest=-24h latest=now) | stats values(field_retrospective_1) AS field_retrospective_1 values(field_retrospective_2) AS field_retrospective_2 values(field_retrospective_3) AS field_retrospective_3 values(field_current_1) AS field_current_1 values(field_current_2) AS field_current_2 BY my_field</LI-CODE><P>if you want also to add the condition that my_field must be present in both the indexes, you could run</P><LI-CODE lang="markup">(index=retrospective earliest=-30d latest=now) OR (index=current earliest=-24h latest=now) | stats values(field_retrospective_1) AS field_retrospective_1 values(field_retrospective_2) AS field_retrospective_2 values(field_retrospective_3) AS field_retrospective_3 values(field_current_1) AS field_current_1 values(field_current_2) AS field_current_2 dc(indexes) AS index_count BY my_field | where index_count=2</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 10 Jan 2024 14:04:26 GMT gcusello 2024-01-10T14:04:26Z https://community.splunk.com/t5/Splunk-Search/How-Can-I-search-retrospectively-in-splunk/m-p/673767#M230678 <P>I am working on building a query to search retrospectively and potentially run a report.</P><P>Let's say the first search is</P><LI-CODE lang="markup">index=some_index "inconsistencies" | dedup someField</LI-CODE><P>and the second is</P><LI-CODE lang="markup">index=some_index "consistent" someField IN (fieldValuesFromPrevMsg) | dedup someField</LI-CODE><P>&nbsp;</P><P>I want to check whether a field seen in the first search is part of the second search (which has a slightly different query but has same field) in a custom time frame.(could be in the future relative to the first search or in the past)</P><P>I'm new to splunk, can someone please help me with this?</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 10 Jan 2024 11:17:43 GMT https://community.splunk.com/t5/Splunk-Search/How-Can-I-search-retrospectively-in-splunk/m-p/673767#M230678 darkhorse91 2024-01-10T11:17:43Z https://community.splunk.com/t5/Splunk-Search/How-Can-I-search-retrospectively-in-splunk/m-p/673769#M230680 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263893">@darkhorse91</a>,</P><P>you have to use a subsearch, with the limitation that you cannot have more than 50,000 results from the subsearch,&nbsp;</P><P>if:</P><UL><LI>the current search is on index=current and runs on the last day,</LI><LI>the retrospetive search runs on index=retrospective and the last 30 days,&nbsp;</LI><LI>the common field is my_field and it has the same name in both the searches,</LI></UL><P>you could try something like this:</P><LI-CODE lang="markup">index=retrospective earliest=-30d latest=now [ search index=current earliest=-24h latest=now) | dedup my_field | fields my_field ]</LI-CODE><P>You have to adapt my approach to your searches.</P><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Wed, 10 Jan 2024 11:17:44 GMT https://community.splunk.com/t5/Splunk-Search/How-Can-I-search-retrospectively-in-splunk/m-p/673769#M230680 gcusello 2024-01-10T11:17:44Z https://community.splunk.com/t5/Splunk-Search/How-Can-I-search-retrospectively-in-splunk/m-p/673780#M230683 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P><P>&nbsp;</P><P>Amazing. This works. Thanks</P><P>&nbsp;</P><P>I have Another query: how can I print those field values from subsearch that are not in the main search?</P><P>In this case the results of the main search is a superset of the subsearch</P> Wed, 10 Jan 2024 12:37:08 GMT https://community.splunk.com/t5/Splunk-Search/How-Can-I-search-retrospectively-in-splunk/m-p/673780#M230683 darkhorse91 2024-01-10T12:37:08Z https://community.splunk.com/t5/Splunk-Search/How-Can-I-search-retrospectively-in-splunk/m-p/673787#M230687 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263893">@darkhorse91</a>&nbsp;,</P><P>you could use join command but I don't hint because you'll have a very slow search.</P><P>Otherwise, you could run something like this:</P><LI-CODE lang="markup">(index=retrospective earliest=-30d latest=now) OR (index=current earliest=-24h latest=now) | stats values(field_retrospective_1) AS field_retrospective_1 values(field_retrospective_2) AS field_retrospective_2 values(field_retrospective_3) AS field_retrospective_3 values(field_current_1) AS field_current_1 values(field_current_2) AS field_current_2 BY my_field</LI-CODE><P>if you want also to add the condition that my_field must be present in both the indexes, you could run</P><LI-CODE lang="markup">(index=retrospective earliest=-30d latest=now) OR (index=current earliest=-24h latest=now) | stats values(field_retrospective_1) AS field_retrospective_1 values(field_retrospective_2) AS field_retrospective_2 values(field_retrospective_3) AS field_retrospective_3 values(field_current_1) AS field_current_1 values(field_current_2) AS field_current_2 dc(indexes) AS index_count BY my_field | where index_count=2</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 10 Jan 2024 14:04:26 GMT https://community.splunk.com/t5/Splunk-Search/How-Can-I-search-retrospectively-in-splunk/m-p/673787#M230687 gcusello 2024-01-10T14:04:26Z