Re: subsearch and timerange

arlombar1 · ‎04-23-2019

Hello, I just have a question regarding subsearches and the time range picker. I am trying to run a subsearch that will look back one month to find account numbers to compare against, however I am getting mixed results.

My problem is that the current/main search runs with a time range of last 15 minutes, and my subsearch contains the below to look back one month (just an example, I know data is available to test 1 day back), but I am getting no results back:

index=test [search index=test earliest=-1mon latest=@d | table account | format account]

The only time I get results back is if I increase the main searches time range. I feel like I might be missing something here, but the documentation does say you can set inline time modifiers in both main searches and subsearches, but does not mention if the time range picker needs to be a value greater or equal too the inline modifier.

My goal: Perform a look back on all of the accounts created last month up until the start of the current day (midnight), and if the account shows in my main search, do not fire an alert. I need this look back in order to perform this comparison, if any other suggestions are recommended please advise.

woodcock · ‎04-23-2019

Using earliest= latest= always overrides the Timepicker except for a few releases of splunk where there was a bug for subsearches. Check the release notes of your version or just upgrade.

adonio · ‎04-23-2019

without addressing the subsearch question, i think you are spending plenty of CPU time and lots of search effort looking back 30 days to compare to last 15 minutes ... why not use lookup?
run a search every so and so to capture what you want, output to a lookup, and now search your short search and compare results against the lookup

subsearch and timerange

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!