Splunk Search

Applying time modifier (earliest and latest) to multiple search?

yuwtennis
Communicator

Hi!

Is it possible to do something like below possible?

If I have 5 searches ,

search A
search B
search C
search D
search E

and specify time modifier , for example , as earliest=-2d@d latest=-1d@d ,
Is it possible to apply the time modifier to all search at once and join them?

So my image is,

earliest=-2d@d latest=-1d@d
| join [ search search A]
| join [ search search B]
| join [ search search C]
| join [ search search D]
| join [ search search E]

I want to put the time modifier as input of join for each search.

Thanks,
Yu

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

IF you're using this query in search screen, the value you selected in timerangepicker applies to all the searches,including subsearches. So you dont have to specify explicitly in each search/subsearch. You can directly use.(by the way, join should be done with some common field. As you are saying all searches have different fields, join will not work, consider append):

search A | join [ search search B] | join [ search search C] | join [ search search D] | join [ search search E]

The same is applicable with dashboards. You add a timerangepicker in your dashboard and have your search nested/attached to it so that the all search will use value from timerangepicker.

View solution in original post

somesoni2
Revered Legend

IF you're using this query in search screen, the value you selected in timerangepicker applies to all the searches,including subsearches. So you dont have to specify explicitly in each search/subsearch. You can directly use.(by the way, join should be done with some common field. As you are saying all searches have different fields, join will not work, consider append):

search A | join [ search search B] | join [ search search C] | join [ search search D] | join [ search search E]

The same is applicable with dashboards. You add a timerangepicker in your dashboard and have your search nested/attached to it so that the all search will use value from timerangepicker.

kristian_kolb
Ultra Champion

Are you sure that you want to use join? As for the timing, I think that since subsearches run before the main search, you should specify the timing in each search. Otherwise it would probably use some default value ("all time"?), which might not be very good in combination with join...

0 Karma

kristian_kolb
Ultra Champion

My point was more that join is an expensive operation, computation wise. Perhaps you can reach the same results with transaction or stats. But it all depends on what your data looks like, and what you want out of it.

I believe that if you run the search interactively, all searches and subsearches will use the time limits yu setin the drop-down 'time picker' menu, unless you specify different.

/k

0 Karma

yuwtennis
Communicator

Hello Kristian.

Thank you for the reply.
What I wanted to do was pass the same time modifier to all the search and join the results.
All the search has same number of rows but different fields.

So is it possible to pass the same time modifier to all the searches?

Thanks,
Yu

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...

Splunk Smartness with Patrick Tatro | Episode 4

Welcome to another episode of "Splunk Smartness," where we explore how Splunk Education can revolutionize your ...