https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141224#M39106 <P>Just for clarification (I misunderstood the answer until I double checked what happens), the searches will only restrict to explicitly given time ranges (via earliest and latest) and otherwise use the widest possible time range. For example, doing this:</P> <PRE><CODE>| multisearch [search a] [search b earliest=-7d@d latest=-6d@d] </CODE></PRE> <P>with a global timespan of "Today" will not restrict search a to "Today". Instead, search a will run from -7d@d up to now (search b will use the explicit time range given). So to use multisearch correctly, you should probably always define earliest and latest per search.</P> Thu, 01 Dec 2016 09:56:33 GMT jeffland 2016-12-01T09:56:33Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141215#M39097 <P>In my below query, I want to load sourcetypeA for last 13 weeks, however I want to restrict sourcetypeB for last 7 days without using earliest</P> <P>The below trick now()-_time is not working for me. I'm getting " Comparator '&lt;' has an invalid term on the left hand side. " error</P> <PRE>index=my_index (sourcetype=sourcetypeA AND FILE_ID=100002 ) OR (sourcetype=sourcetypeB AND ((now()-_time)&lt;691220) ) </PRE> <P>I don't want to filter after the base query, as the data in sourcetypeB is very huge and is drastically hindering the performance of the query</P> <P>Using the second query (sourcetypeB) as sub query or Join is not an option currently for me</P> <P>Is there a way I can achieve this?</P> <P>Thanks,<BR /> Pradeep</P> Thu, 25 Sep 2014 17:25:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141215#M39097 pradeepkumarg 2014-09-25T17:25:25Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141216#M39098 <P>Hi @gpradeepkumarreddy</P> <P>I know you said you want a solution without earliest, but I thought this post might be helpful with your desired result. Would this work for you?</P> <P><A href="http://answers.splunk.com/answers/153336/is-it-possible-to-use-earliest-twice-in-one-search.html">http://answers.splunk.com/answers/153336/is-it-possible-to-use-earliest-twice-in-one-search.html</A></P> Thu, 25 Sep 2014 17:40:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141216#M39098 ppablo 2014-09-25T17:40:10Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141217#M39099 <P>Thanks much Pat. I never thought it would work and didn't give it a try. Looks like its working <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>You can convert this to answer, I'll accept it.</P> Thu, 25 Sep 2014 17:57:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141217#M39099 pradeepkumarg 2014-09-25T17:57:05Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141218#M39100 <P>No problem Pradeep! I saw that post the other day and bookmarked it since I thought it would be helpful for other people. It came in handy much sooner than expected <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Patrick</P> Thu, 25 Sep 2014 17:59:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141218#M39100 ppablo 2014-09-25T17:59:52Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141219#M39101 <P>This is a situation where <CODE>multisearch</CODE> will be useful:</P> <PRE><CODE>| multisearch [ search sourcetype=sourceA FileID=XYZABC ] [ search sourcetype=sourceB earliest=-7d ] </CODE></PRE> Fri, 26 Sep 2014 01:39:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141219#M39101 gkanapathy 2014-09-26T01:39:20Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141220#M39102 <P>And it's useful because of the multisearches will search only over the specified time ranges. If you use <CODE>earliest</CODE>/<CODE>latest</CODE> in a single base search more than once, you will have to scan the span of the widest time range of all the clauses. This may or may not make a big difference depending on your searches and data distribution.</P> Fri, 26 Sep 2014 01:48:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141220#M39102 gkanapathy 2014-09-26T01:48:59Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141221#M39103 <P>Just a point to add here:<BR /> Searching each time range separately has the earliest and latest times set correctly, but searching them with an OR in between made it so that it windowed the search by the range of the time picker in the search bar. So if that were set to, say, "All Time," it would search over the entire contents of your sourcetypes just to pull out data between those two date ranges. By the same token, if it were set to "Today", it would cut off entries outside of today and give you an incomplete answer. (And if it were set to something that didn't overlap with either of the date ranges in the search, it would give you an error.)</P> Fri, 26 Sep 2014 05:40:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141221#M39103 MuS 2014-09-26T05:40:26Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141222#M39104 <P>This is why I recommend <CODE>multisearch</CODE> as a better solution.</P> Fri, 26 Sep 2014 06:51:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141222#M39104 gkanapathy 2014-09-26T06:51:26Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141223#M39105 <P>Awesome, thanks for this answer and explanation @gkanapathy. I'll definitely recommend this search command to folks with similar use cases from now on. </P> Mon, 29 Sep 2014 16:49:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141223#M39105 ppablo 2014-09-29T16:49:00Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141224#M39106 <P>Just for clarification (I misunderstood the answer until I double checked what happens), the searches will only restrict to explicitly given time ranges (via earliest and latest) and otherwise use the widest possible time range. For example, doing this:</P> <PRE><CODE>| multisearch [search a] [search b earliest=-7d@d latest=-6d@d] </CODE></PRE> <P>with a global timespan of "Today" will not restrict search a to "Today". Instead, search a will run from -7d@d up to now (search b will use the explicit time range given). So to use multisearch correctly, you should probably always define earliest and latest per search.</P> Thu, 01 Dec 2016 09:56:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-time-ranges/m-p/141224#M39106 jeffland 2016-12-01T09:56:33Z