Splunk Search

Can I control earliest and latest date using fixed dates ?

Motivator

I have 2 searches that I am appending that looks something like

search1 | append [search search2]

and basically search 1 has data for 6months e.g. Jan-Jun and search 2 has data for 6months e.g.Jun-Nov

Can I control search1 to search for all dates up to June 15th at midnight using latest?

And Can I control search2 to search for all dates from June 15th at midnight using earliest? This way from a graphing point of view they all line up.

This way my earch would look something like

search1 latest=20140615 | append [search search2 earliest=20140616 ]

0 Karma
1 Solution

Yes you can do it like that,just make sure that date is in a correct time format and put it in quote like this:

search1
latest="2014/06/15:00:00"|
append [search search2
earliest="2014/06/16 :00:00:00"]

splunking makes life easier .......

View solution in original post

Builder

Hi,

Is there any specific reason why you can't use just one search (if both the searches are working on same data set)? Also, you might want to check the subsearch limit as this might filter out events from the results. For reference @ http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Aboutsubsearches

Thanks!!

0 Karma

Motivator

tks for that,
the datasets are similar but they come from different sources i.e. different hosts
also the 2nd search the data is in a slightly different format that is why I need a 2nd search
and with 2 searches I need to contol the dates so there is no duplication.

but based on that link it might not necessarily be designed for what I want but if it works.
Both my searches has timechart in them and I am just appending them.

0 Karma

Yes you can do it like that,just make sure that date is in a correct time format and put it in quote like this:

search1
latest="2014/06/15:00:00"|
append [search search2
earliest="2014/06/16 :00:00:00"]

splunking makes life easier .......

View solution in original post

Motivator

tks but that did not work for me.
However reading here I got this to work

search1 endtime= 03/16/2015:00:00:00 | append [search search2 starttime= 03/16/2015:00:00:00 latest=@d ]

endtime= 03/16/2015:00:00:00 - all data upto midnight on the 15th
03/16/2015:00:00:00 - all data after midnight on the 15th
latest=@d - all data up to midnight yesterday

Motivator

see here

0 Karma