Splunk Search

How to subsearch/multisearch date based on minimum of main search?

arusoft
Communicator

lets say I have a subsearch or multisearch.

I want to have my subsearch/multisearch date to be 30 days before the start of main search date.

Right now i have it hardcoded all the way from start date of my data . But in reality I am interested only 30 day before main search.  The main search will be something like "Before 03/01/2022". So here my subsearch  earliest date should be  from "03/01/2022" minus 30 days  till "03/01/2022" 

 

 

| multisearch
[search index="abc" ]
[search index="xyz" earliest="11/01/2021:20:00:00"]

 

 

Thanks.

Labels (1)
Tags (2)
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

| multisearch
[search index="abc" ]
[search index="xyz" [| makeresults | addinfo | eval earliest=relative_time(info_max_time,"-30d@d") | eval latest=info_max_time | table earliest latest]]

View solution in original post

somesoni2
Revered Legend

Give this a try

| multisearch
[search index="abc" ]
[search index="xyz" [| makeresults | addinfo | eval earliest=relative_time(info_max_time,"-30d@d") | eval latest=info_max_time | table earliest latest]]

arusoft
Communicator

Thaks @somesoni2. Below is simple test based on your example and this is working fine, but I am not understanding what is going on here ? Why are they in brackets []?  Are we overwriting time modifiers earliest and latest fields? If yes why are these fields not highlighted in green color indicating that they are time modifiers fields. 

 

index="xxx" [| makeresults | addinfo | eval earliest=relative_time(info_min_time,"-30d@d") | eval latest=info_max_time | table earliest latest]
|timechart span=1d count

 

Also why is this not working. This looks like just ignoring the eval I did similar to above. 

 

index="xxx" 
| addinfo 
| eval earliest=relative_time(info_min_time,"-30d@d") 
| eval latest=info_max_time 
|timechart span=1d count

 

Thanks

0 Karma

somesoni2
Revered Legend

 

The subsearch with "makeresults" is generating custom time range, earliest and latest. Using it in the way mentioned here, will add (behind the scene) "earliest=<value> AND latest=<value>" in the subsearch using it. Since it happens behind the scene, syntax is not highlighted.

| multisearch
[search index="abc" ]
[search index="xyz" [| makeresults | addinfo | eval earliest=relative_time(info_max_time,"-30d@d") | eval latest=info_max_time | table earliest latest]]

Below search doesn't work because, earliest and latest is being added as field and not as filter.

index="xxx" 
| addinfo 
| eval earliest=relative_time(info_min_time,"-30d@d") 
| eval latest=info_max_time 
| timechart span=1d count

gcusello
SplunkTrust
SplunkTrust

Hi   @arusoft,

you could use a larger time period for both the searches (e.g. two monts), then in the main search put an additional limitation like this:

your_main_search
| eval main_earliest=relative_time(earliest,"-30d")
| search _time>main_earliest
| ...

and in the subsearch use something like this:

your_main_search
| eval sub_latest=relative_time(earliest,"-30d")
| search _time<sub_latest
| ...

Obviously it isn't a very performant search!

if you have few events, you can use as it is, otherwise you have to accelerate it using e.g. a summary indexes.

Ciao.

Giuseppe

arusoft
Communicator

Thanks @gcusello . 

Below is what I tried and I am getting no data. I have data all the way form Nov 1, 2021. And I ran the below search for last 30 days. So I was hoping it would give me data from last 60 days since I am going  30 earlier than my earliest main search. BTW I am running this directly in search and not in dashboard.

index=xxx
| eval main_earliest=relative_time(earliest,"-30d")
| search _time>main_earliest

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @arusoft,

please try this:

index=xxx
| addinfo
| eval main_earliest=relative_time(info_min_time,"-30d")
| search _time>main_earliest

Ciao.

Giuseppe

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...