Solved: Re: earliest_time in POST call versus earliest in ...

shikhanshu · ‎08-12-2017

I am sending a POST call to the REST endpoint search/jobs with following parameters:

    'output_mode': 'json',
    'earliest_time': '-7d',
    'latest_time': '-1d',
    'exec_mode': 'oneshot',
    'search': 'search index=ind status=FAIL | table error, sim_time'

If, instead of above, I send:

    'output_mode': 'json',
    'exec_mode': 'oneshot',
    'search': 'search index=ind earliest=-7d@d latest=-1d@d status=FAIL | table error, sim_time'

Is there a difference? In terms of performance, load on server, correctness etc.

jkat54 · ‎08-12-2017

Aside from the fact that you're snapping to the day in one search and not the other, there should be no difference in performance.

View solution in original post

jkat54 · ‎08-12-2017

Aside from the fact that you're snapping to the day in one search and not the other, there should be no difference in performance.

shikhanshu · ‎08-12-2017

Sorry, I missed the @d in one search! Both searches are supposed to be the same. No difference sounds great!

jkat54 · ‎08-12-2017

You can always test both 10-20 times and avaerage the results. The _internal index has data related to how long the searches took.

earliest_time in POST call versus earliest in query itself

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life