Splunk Search

Can I control earliest and latest date using fixed dates ?

HattrickNZ
Motivator

I have 2 searches that I am appending that looks something like

search1 | append [search search2]

and basically search 1 has data for 6months e.g. Jan-Jun and search 2 has data for 6months e.g.Jun-Nov

Can I control search1 to search for all dates up to June 15th at midnight using latest?

And Can I control search2 to search for all dates from June 15th at midnight using earliest? This way from a graphing point of view they all line up.

This way my earch would look something like

search1 latest=20140615 | append [search search2 earliest=20140616 ]

0 Karma
1 Solution

stephane_cyrill
Builder

Yes you can do it like that,just make sure that date is in a correct time format and put it in quote like this:

search1
latest="2014/06/15:00:00"|
append [search search2
earliest="2014/06/16 :00:00:00"]

splunking makes life easier .......

View solution in original post

vganjare
Builder

Hi,

Is there any specific reason why you can't use just one search (if both the searches are working on same data set)? Also, you might want to check the subsearch limit as this might filter out events from the results. For reference @ http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Aboutsubsearches

Thanks!!

0 Karma

HattrickNZ
Motivator

tks for that,
the datasets are similar but they come from different sources i.e. different hosts
also the 2nd search the data is in a slightly different format that is why I need a 2nd search
and with 2 searches I need to contol the dates so there is no duplication.

but based on that link it might not necessarily be designed for what I want but if it works.
Both my searches has timechart in them and I am just appending them.

0 Karma

stephane_cyrill
Builder

Yes you can do it like that,just make sure that date is in a correct time format and put it in quote like this:

search1
latest="2014/06/15:00:00"|
append [search search2
earliest="2014/06/16 :00:00:00"]

splunking makes life easier .......

HattrickNZ
Motivator

tks but that did not work for me.
However reading here I got this to work

search1 endtime= 03/16/2015:00:00:00 | append [search search2 starttime= 03/16/2015:00:00:00 latest=@d ]

endtime= 03/16/2015:00:00:00 - all data upto midnight on the 15th
03/16/2015:00:00:00 - all data after midnight on the 15th
latest=@d - all data up to midnight yesterday

HattrickNZ
Motivator

see here

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...