https://community.splunk.com/t5/Splunk-Search/How-to-display-last-24-hours-data-with-query/m-p/103241#M26674 <P>Hi,<BR /> i have my results :</P> <P>Host | max(usage)</P> <P>ABC | 100</P> <P>xyz | 200</P> <P>I want to add new column in table with max(usage) in last 24 hours by host.</P> <P>| Max usage (last 24 hours)</P> <P>| 90<BR /><BR /> | 200</P> <P>I am using following query :<BR /> index="power" sourcetype="power_usage" | join [ search index="power" sourcetype="power_usage" earliest=-24h | stats max(Power_consumption) by host ]| chart max(Power_consumption) over host</P> <P>Following error occur wit the query:-<BR /> [subsearch]: Your timerange was substituted based on your search string</P> <P>If any body knows the solution, please let me know.</P> <P>Thanks in advance.</P> Mon, 28 Sep 2020 09:34:20 GMT geetanjali 2020-09-28T09:34:20Z https://community.splunk.com/t5/Splunk-Search/How-to-display-last-24-hours-data-with-query/m-p/103241#M26674 <P>Hi,<BR /> i have my results :</P> <P>Host | max(usage)</P> <P>ABC | 100</P> <P>xyz | 200</P> <P>I want to add new column in table with max(usage) in last 24 hours by host.</P> <P>| Max usage (last 24 hours)</P> <P>| 90<BR /><BR /> | 200</P> <P>I am using following query :<BR /> index="power" sourcetype="power_usage" | join [ search index="power" sourcetype="power_usage" earliest=-24h | stats max(Power_consumption) by host ]| chart max(Power_consumption) over host</P> <P>Following error occur wit the query:-<BR /> [subsearch]: Your timerange was substituted based on your search string</P> <P>If any body knows the solution, please let me know.</P> <P>Thanks in advance.</P> Mon, 28 Sep 2020 09:34:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-last-24-hours-data-with-query/m-p/103241#M26674 geetanjali 2020-09-28T09:34:20Z https://community.splunk.com/t5/Splunk-Search/How-to-display-last-24-hours-data-with-query/m-p/103242#M26675 <P>Hello,</P> <P>I don't have the answer, but I can see a problem with the join function. It needs the field-list parameter as you can see in <A href="http://www.splunk.com/base/Documentation/latest/SearchReference/Join">http://www.splunk.com/base/Documentation/latest/SearchReference/Join</A>. In other word, you need to join your subsearch to something and the "field-list" is the common link between both search.</P> <P>Hope it helps.</P> <P>Regards,<BR /> Olivier</P> Tue, 17 May 2011 13:45:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-last-24-hours-data-with-query/m-p/103242#M26675 OL 2011-05-17T13:45:22Z https://community.splunk.com/t5/Splunk-Search/How-to-display-last-24-hours-data-with-query/m-p/103243#M26676 <P>By the way, have you tried the eventstats function? It attaches a summary statistics to each event.</P> <P>Regards,<BR /> Olivier</P> Tue, 17 May 2011 13:54:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-last-24-hours-data-with-query/m-p/103243#M26676 OL 2011-05-17T13:54:05Z https://community.splunk.com/t5/Splunk-Search/How-to-display-last-24-hours-data-with-query/m-p/103244#M26677 <P>Olivier is right eventstats might be a more appropriate command than "join" i suggested to you in another thread</P> Tue, 17 May 2011 13:59:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-last-24-hours-data-with-query/m-p/103244#M26677 MarioM 2011-05-17T13:59:55Z