I have 2 searches that I am appending that looks something like
search1 | append [search search2]
and basically search 1 has data for 6months e.g. Jan-Jun and search 2 has data for 6months e.g.Jun-Nov
Can I control search1 to search for all dates up to June 15th at midnight using latest?
And Can I control search2 to search for all dates from June 15th at midnight using earliest? This way from a graphing point of view they all line up.
This way my earch would look something like
search1 latest=20140615 | append [search search2 earliest=20140616 ]
Yes you can do it like that,just make sure that date is in a correct time format and put it in quote like this:
search1
latest="2014/06/15:00:00"|
append [search search2
earliest="2014/06/16 :00:00:00"]
splunking makes life easier .......
Hi,
Is there any specific reason why you can't use just one search (if both the searches are working on same data set)? Also, you might want to check the subsearch limit as this might filter out events from the results. For reference @ http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Aboutsubsearches
Thanks!!
tks for that,
the datasets are similar but they come from different sources i.e. different hosts
also the 2nd search the data is in a slightly different format that is why I need a 2nd search
and with 2 searches I need to contol the dates so there is no duplication.
but based on that link it might not necessarily be designed for what I want but if it works.
Both my searches has timechart
in them and I am just appending them.
Yes you can do it like that,just make sure that date is in a correct time format and put it in quote like this:
search1
latest="2014/06/15:00:00"|
append [search search2
earliest="2014/06/16 :00:00:00"]
splunking makes life easier .......
tks but that did not work for me.
However reading here I got this to work
search1 endtime= 03/16/2015:00:00:00 | append [search search2 starttime= 03/16/2015:00:00:00 latest=@d ]
endtime= 03/16/2015:00:00:00 - all data upto midnight on the 15th
03/16/2015:00:00:00 - all data after midnight on the 15th
latest=@d - all data up to midnight yesterday
see here