topic Modify timespan of a subsearch in Splunk Search https://community.splunk.com/t5/Splunk-Search/Modify-timespan-of-a-subsearch/m-p/21152#M3420 <P>Hi I’m trying to compare two days in my search, but not the whole day only e.g. from 00:00 till 13:30.</P> <PRE><CODE>index="summary_dummy" earliest=@d | addinfo | stats sum(count) AS count1, max(search_now) as time1, min(info_min_time) as time2 | eval tspan=(time1-time2)/60 | eval tspan2=round(tspan)| append [search index="summary_dummy" earliest=-2@d searchtimespanminutes=tspan| addinfo | stats sum(count) AS count2] </CODE></PRE> <P>I tested tspan2 with isint() but still get the error “ tspan2 is not a valid value for searchtimespanminutes. It is not a positive integer.”<BR /> I think the Problem is that I didn’t pass tspan2 to my subsearch but I’ve no idea how to do that.</P> Fri, 02 Nov 2012 09:24:25 GMT Oti47 2012-11-02T09:24:25Z Modify timespan of a subsearch https://community.splunk.com/t5/Splunk-Search/Modify-timespan-of-a-subsearch/m-p/21152#M3420 <P>Hi I’m trying to compare two days in my search, but not the whole day only e.g. from 00:00 till 13:30.</P> <PRE><CODE>index="summary_dummy" earliest=@d | addinfo | stats sum(count) AS count1, max(search_now) as time1, min(info_min_time) as time2 | eval tspan=(time1-time2)/60 | eval tspan2=round(tspan)| append [search index="summary_dummy" earliest=-2@d searchtimespanminutes=tspan| addinfo | stats sum(count) AS count2] </CODE></PRE> <P>I tested tspan2 with isint() but still get the error “ tspan2 is not a valid value for searchtimespanminutes. It is not a positive integer.”<BR /> I think the Problem is that I didn’t pass tspan2 to my subsearch but I’ve no idea how to do that.</P> Fri, 02 Nov 2012 09:24:25 GMT https://community.splunk.com/t5/Splunk-Search/Modify-timespan-of-a-subsearch/m-p/21152#M3420 Oti47 2012-11-02T09:24:25Z Re: Modify timespan of a subsearch https://community.splunk.com/t5/Splunk-Search/Modify-timespan-of-a-subsearch/m-p/21153#M3421 <P>You have it the other way around. A subsearch is evaluated before the outer search, because the results of the subsearch are passed to the outer search as a filter. I'd suggest that your <CODE>search ... searchtimespanminutes=tspan ...</CODE> be the <EM>outer</EM> search, with the search setting tspan be the subsearch.</P> Fri, 02 Nov 2012 13:53:43 GMT https://community.splunk.com/t5/Splunk-Search/Modify-timespan-of-a-subsearch/m-p/21153#M3421 sowings 2012-11-02T13:53:43Z