Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How could I iterate over a search time frame span?

aohls
Contributor
‎10-15-2020 03:01 PM

Right now I have a large multi search, each line specifying a different time range of days. Really we are gathering data by a daily, then weekly timeframe for some baselines. That is where the eval of time comes in, we assign the eval as day1, day2, day3... so then the data from that day has an eval in the table we can distinguish it from. I am not sure if for our need there is a better way but wanted to explore it for my own education. Updating 10+ lines of the same thing is not ideal.

| multisearch

[index=someindex sourcetype=somesourcetype name=test earliest=-1d latest=-2d

| eval time = day1]

 
[index=someindex sourcetype=somesourcetype name=test earliest=-2d latest=-3d

| eval time = day2]

I was wondering if there is an easier way to define a value and then just loop through the search. I was thinking something like the following.

| eval valueToUseAsIterator=.....

index=someindex sourcetype=somesourcetype name=test earliest=-(valueToUseAsIterator)d latest=-(valueToUseAsIterator+1)d

|eval time=day(valueToUseAsIterator)

Edit: Added more to the search and information.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-15-2020 03:35 PM

Hi @aohls .. from the query on your post, it is difficult to suggest you something. we should know how your subsearches are formed, then only we can suggest how to fine-tune it. 

Maybe, you can copy-paste your splunk search query (after hiding hostname/sensitive values), so that it will be helpful and we can suggest you how to fine-tune your search query. 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-15-2020 03:09 PM

What are you trying to achieve with your multi search that requires the loop. Do you actually need multiple searches? Are those searches searching the same data apart from the earliest changing?

There's nothing obvious that springs to mind to give you what you want, but perhaps you can elaborate on your search/requirements a bit more

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...