Splunk Search

Applying time modifier (earliest and latest) to multiple search?

yuwtennis
Communicator

Hi!

Is it possible to do something like below possible?

If I have 5 searches ,

search A
search B
search C
search D
search E

and specify time modifier , for example , as earliest=-2d@d latest=-1d@d ,
Is it possible to apply the time modifier to all search at once and join them?

So my image is,

earliest=-2d@d latest=-1d@d
| join [ search search A]
| join [ search search B]
| join [ search search C]
| join [ search search D]
| join [ search search E]

I want to put the time modifier as input of join for each search.

Thanks,
Yu

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

IF you're using this query in search screen, the value you selected in timerangepicker applies to all the searches,including subsearches. So you dont have to specify explicitly in each search/subsearch. You can directly use.(by the way, join should be done with some common field. As you are saying all searches have different fields, join will not work, consider append):

search A | join [ search search B] | join [ search search C] | join [ search search D] | join [ search search E]

The same is applicable with dashboards. You add a timerangepicker in your dashboard and have your search nested/attached to it so that the all search will use value from timerangepicker.

View solution in original post

somesoni2
Revered Legend

IF you're using this query in search screen, the value you selected in timerangepicker applies to all the searches,including subsearches. So you dont have to specify explicitly in each search/subsearch. You can directly use.(by the way, join should be done with some common field. As you are saying all searches have different fields, join will not work, consider append):

search A | join [ search search B] | join [ search search C] | join [ search search D] | join [ search search E]

The same is applicable with dashboards. You add a timerangepicker in your dashboard and have your search nested/attached to it so that the all search will use value from timerangepicker.

kristian_kolb
Ultra Champion

Are you sure that you want to use join? As for the timing, I think that since subsearches run before the main search, you should specify the timing in each search. Otherwise it would probably use some default value ("all time"?), which might not be very good in combination with join...

0 Karma

kristian_kolb
Ultra Champion

My point was more that join is an expensive operation, computation wise. Perhaps you can reach the same results with transaction or stats. But it all depends on what your data looks like, and what you want out of it.

I believe that if you run the search interactively, all searches and subsearches will use the time limits yu setin the drop-down 'time picker' menu, unless you specify different.

/k

0 Karma

yuwtennis
Communicator

Hello Kristian.

Thank you for the reply.
What I wanted to do was pass the same time modifier to all the search and join the results.
All the search has same number of rows but different fields.

So is it possible to pass the same time modifier to all the searches?

Thanks,
Yu

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...