https://community.splunk.com/t5/Splunk-Search/Subsearch-Realtime-Parent-Search-Last-5-minutes/m-p/18536#M2700 <P>I thought so too, but I tried that and get:</P> <P>Invalid value "rt-5m" for time term 'earliest'</P> <P>earliest="rt-5m"</P> Wed, 31 Oct 2012 21:10:28 GMT BP9906 2012-10-31T21:10:28Z https://community.splunk.com/t5/Splunk-Search/Subsearch-Realtime-Parent-Search-Last-5-minutes/m-p/18532#M2696 <P>Is it possible to have a subsearch looking for a log entry in realtime, then take that field and look back the past 5 minutes for the web logs? </P> <P>I cant seem to get a subsearch to work properly because it does both the subsearch and parent search in realtime, which is why I get no results. </P> <P>Example:</P> <P>index=weblog [ search index=log AND "keyword" | fields + field_name ]</P> Wed, 31 Oct 2012 16:55:38 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-Realtime-Parent-Search-Last-5-minutes/m-p/18532#M2696 BP9906 2012-10-31T16:55:38Z https://community.splunk.com/t5/Splunk-Search/Subsearch-Realtime-Parent-Search-Last-5-minutes/m-p/18533#M2697 <P>You can use the earliest and latest keywords in a search (before the first pipe (|) character) to guide Splunk and constrain one part of the search, thereby ignoring the time range picker. Hints on the format of these "earliest" and "latest" modifiers can be found <A href="http://docs.splunk.com/Documentation/Splunk/5.0/Search/Specifytimemodifiersinyoursearch">here</A>.</P> <P>In your case, you'd probably add the "earliest" and "latest" to your outer search, letting the time range picker drive the subsearch.</P> Wed, 31 Oct 2012 17:57:18 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-Realtime-Parent-Search-Last-5-minutes/m-p/18533#M2697 sowings 2012-10-31T17:57:18Z https://community.splunk.com/t5/Splunk-Search/Subsearch-Realtime-Parent-Search-Last-5-minutes/m-p/18534#M2698 <P>Thanks, I tried adding: earliest=-5m@s </P> <P>index=weblog earliest=-5m@s [ search index=log AND "keyword" | fields + field_name ]</P> <P>I get 2 warnings now:</P> <P>-Search time modifiers are ignored in real-time searches</P> <P>-[subsearch]: Subsearches of a real-time search run over all-time unless explicit time bounds are specified within the subsearch.</P> <P>Am I doing something wrong?</P> Wed, 31 Oct 2012 18:17:36 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-Realtime-Parent-Search-Last-5-minutes/m-p/18534#M2698 BP9906 2012-10-31T18:17:36Z https://community.splunk.com/t5/Splunk-Search/Subsearch-Realtime-Parent-Search-Last-5-minutes/m-p/18535#M2699 <P>The first warning indicates your earliest is ignored since the time range picker is using a real time window. The second warning is to tell you that the subsearch is running "over all time" because a smaller window wasn't applied.</P> <P>Let's try changing the order of things--let's apply a narrower window to the subsearch, and then let the time range picker set the "last 5 minutes" part.</P> <P>Add "earliest=rt-5m" to your <EM>subsearch</EM>, specifying "last 5 minutes, real time", then your outer search's time frame can be dictated by the time range picker.</P> Wed, 31 Oct 2012 20:55:01 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-Realtime-Parent-Search-Last-5-minutes/m-p/18535#M2699 sowings 2012-10-31T20:55:01Z https://community.splunk.com/t5/Splunk-Search/Subsearch-Realtime-Parent-Search-Last-5-minutes/m-p/18536#M2700 <P>I thought so too, but I tried that and get:</P> <P>Invalid value "rt-5m" for time term 'earliest'</P> <P>earliest="rt-5m"</P> Wed, 31 Oct 2012 21:10:28 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-Realtime-Parent-Search-Last-5-minutes/m-p/18536#M2700 BP9906 2012-10-31T21:10:28Z