Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Time picker and Nested query not picking up events

shashigari
Loves-to-Learn Lots
‎04-14-2025 09:42 AM

Good morning, I got a query like this

[| makeresults count=0]
| append
[ search (index="my_index"]

When I use to setup analert like 

earliest="04/11/2025:12:10:01" latest="04/11/2025:12:20:01" `mymacro` | table _time IP

this is not picking up the events in that time frame. however when I expand to 8hours from dropdown it is showing results.

 

Any one can help provide approach for this issue?

Labels (1)
Labels
0 Karma
Reply

shashigari
Loves-to-Learn Lots
‎04-15-2025 07:52 AM

My macro looks like this
[|makeresults count=0]
| append
[ search `mymacro`
| rex ---
| rex ---
| rex ---
| eval --
| eval ---
| fields _time, -,-]
| lookup ---
| lookup ---
| lookup ---
| search ---

----------------------------------

I'm building a scheduled alert which runs this macro using earliest and latest time period

earliest="04/11/2025:12:10:01" latest="04/11/2025:12:20:01" `mymacro` | table _time IP

So this time range is not passing within above macro subquery which is nested.

 

Hope this give you more info.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-15-2025 10:04 AM

It is not clear what your issue is - if you specify earliest and latest using the format you have used, they appear to be passed to a macro (that begins with "index=...") - if you don't specify an overriding time, the time specified by the search also seem to be used. Please provide more precise detail as to what your macro actually is (obfuscating as minimally as possible) and how you have used it in the search, and how you have set up the alert.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-14-2025 11:38 PM

Hi @shashigari ,

as also @livehybrid said, it isn't so clear why you are using this structure of search.

In addition, you are using a macro that we don't know.

Anyway, the format of time in earliest and latest is correct.

Could you better describe your requirement and share your macro?

Ciao.

Giuseppe

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-14-2025 01:45 PM

Hi @shashigari 

Sorry it isnt clear to me which search is having the issue. I'm not sure why you are doing a makeresults followed by an append?
Are you specifying the earliest/latest in your subsearch/append search?

Please can you post your full search with the issue.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...