Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Different time-frames for different indices/parts of a search?

dkotowsk
Engager
‎01-30-2018 12:05 PM

Is it possible to use different timeframes with different indices? For example:

(index=index_a earliest="30/01/18:00:00:00" latest="30/01/18:00:05:00") OR (index=index_b earliest="30/01/18:10:00:00" latest="30/01/18:10:05:00")) dest_ip="10.0.0.1"

What is the right way to do this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎01-30-2018 12:49 PM

@dkotowsk, I would say using append, but there is sub-search limitation applicable.

index=index_a earliest="30/01/18:00:00:00" latest="30/01/18:00:05:00" dest_ip="10.0.0.1"
| append [search index=index_b earliest="30/01/18:10:00:00" latest="30/01/18:10:05:00" dest_ip="10.0.0.1"]

Once you have data from two base searches what is it that you need to perform?

See if you can use multisearch instead of append.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎01-30-2018 12:49 PM

@dkotowsk, I would say using append, but there is sub-search limitation applicable.

index=index_a earliest="30/01/18:00:00:00" latest="30/01/18:00:05:00" dest_ip="10.0.0.1"
| append [search index=index_b earliest="30/01/18:10:00:00" latest="30/01/18:10:05:00" dest_ip="10.0.0.1"]

Once you have data from two base searches what is it that you need to perform?

See if you can use multisearch instead of append.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...