How to create a sub-search that looks for events 1...

dyelchuriyelchu · ‎06-18-2019

index=windows sourctype=bla
EventCode=g host=abc user=cvb NOT [
search index=email  |table _time,host
|fields _time, host]

I have to schedule a search similar to above to run every 10m, but I want the sub-search to look for events 5 minutes before to the info_min_time.

I tried the following but doesn't seem to help.

earliest=$info_min_time$ latest=$info_max_time$index=windows sourctype=bla EventCode=g host=abc user=cvb NOT
[ search index=email 
||eval earliest = relative_time($info_min_time$, "-5M")
|table _time,host
|fields _time, host]

Is there any way to achieve this?

jacobpevans · ‎09-09-2019

This one got passed up, but here's the answer:

 index=windows sourctype=bla EventCode=g host=abc user=cvb NOT [
     | search index=email earliest=-5m
     | table _time,host
     | fields _time, host]

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

How to create a sub-search that looks for events 10 mins earlier

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to create a sub-search that looks for events 10 mins earlier

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!