Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How could I iterate over a search time frame span?

aohls
Contributor
‎10-15-2020 03:01 PM

Right now I have a large multi search, each line specifying a different time range of days. Really we are gathering data by a daily, then weekly timeframe for some baselines. That is where the eval of time comes in, we assign the eval as day1, day2, day3... so then the data from that day has an eval in the table we can distinguish it from. I am not sure if for our need there is a better way but wanted to explore it for my own education. Updating 10+ lines of the same thing is not ideal.

| multisearch

[index=someindex sourcetype=somesourcetype name=test earliest=-1d latest=-2d

| eval time = day1]

 
[index=someindex sourcetype=somesourcetype name=test earliest=-2d latest=-3d

| eval time = day2]

I was wondering if there is an easier way to define a value and then just loop through the search. I was thinking something like the following.

| eval valueToUseAsIterator=.....

index=someindex sourcetype=somesourcetype name=test earliest=-(valueToUseAsIterator)d latest=-(valueToUseAsIterator+1)d

|eval time=day(valueToUseAsIterator)

Edit: Added more to the search and information.

Labels (1)
Labels
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-15-2020 03:35 PM

Hi @aohls .. from the query on your post, it is difficult to suggest you something. we should know how your subsearches are formed, then only we can suggest how to fine-tune it. 

Maybe, you can copy-paste your splunk search query (after hiding hostname/sensitive values), so that it will be helpful and we can suggest you how to fine-tune your search query. 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-15-2020 03:09 PM

What are you trying to achieve with your multi search that requires the loop. Do you actually need multiple searches? Are those searches searching the same data apart from the earliest changing?

There's nothing obvious that springs to mind to give you what you want, but perhaps you can elaborate on your search/requirements a bit more

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...