Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Does the time range picker apply the same range to both a primary search and subsearch? If yes, can I override the subsearch time range?

oraclebox
Explorer
‎10-14-2014 01:45 AM

I want to know about the scope of time range chosen by time range picker/
In my case, I have two sourcetypes and all data under these sourcetypes as shown below. If I choose last 24 hr in the time range picker, does it mean the range will apply to both the primay search and the join subsearch? In other words, will events returned by both searches include all events within the time range?

  search sourcetype=A xxxx
 | join [search sourcetype=B XXXX]

Also, if the time-range applies to both searches, can I override the time-range in the subsearch?

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-14-2014 11:06 AM

You should be able to override the time range picker's time-range by using time modifiers (e.g. earliest, latest etc, see here for full list http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/SearchTimeModifiers). This holds true for both base search and subsearch.

So, I could use yesterday's data in base search and day before yesterday's data in subsearch, even though time range picker is set to yesterday.

index=_internal | stats count as yesterday by sourcetype | appendcols [search index=_internal earliest=-2d@d latest=-1d@d | stats count as dayB4yesterday by sourcetype]

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-14-2014 11:06 AM

You should be able to override the time range picker's time-range by using time modifiers (e.g. earliest, latest etc, see here for full list http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/SearchTimeModifiers). This holds true for both base search and subsearch.

So, I could use yesterday's data in base search and day before yesterday's data in subsearch, even though time range picker is set to yesterday.

index=_internal | stats count as yesterday by sourcetype | appendcols [search index=_internal earliest=-2d@d latest=-1d@d | stats count as dayB4yesterday by sourcetype]
Reply
Solved! Jump to solution

oraclebox
Explorer
‎10-19-2014 05:40 PM

Thanks fro your reply. I am more clear.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-14-2014 11:44 AM

Here you go 🙂

0 Karma
Reply
Solved! Jump to solution

triest
Communicator
‎10-14-2014 11:12 AM

@somesoni2 Could you post your comment as answer, so it can be accepted and then the question will be listed as having an answer.

Thanks!

Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎10-14-2014 03:02 AM

I believe the time picker time range applies to the primary search as well as to the subsearch. I do not know if in-search expressions like 'earliest' will work inside the subsearch.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...