Splunk Search
Highlighted

How to use different time ranges in sub-queries in savedsearches.conf

Explorer

I am using a composite query which has join to another query. I need to use a longer time range in the main/outer query and the inner query should have the time range from the dispatch.earliest_time defined in the savedsearches.conf.

Suppose I have the below configurations in savedsearches.conf

cronschedule = 05,25,45 * * * *
dispatch.earliest
time = -25m@m
dispatch.latesttime = -5m@m
search=index=data
set earliest=-120m@m app= "demo" Status=SUCCESS | join FileName,FilesCount [ search index= dataset app=demo statusmessage= "not completed"| table FileName,FilesCount] | table FileName,FilesCount, status,_time

Will the above config work?

The below query need to be run for last 2 hours:

index=data_set app= "demo" Status=SUCCESS

The below query need to be run for the savedsearches.conf configurations:

index= dataset app=demo statusmessage= "not completed" | table FileName,FilesCount

The query can not be changed. Please help me to do this.

0 Karma
Highlighted

Re: How to use different time ranges in sub-queries in savedsearches.conf

SplunkTrust
SplunkTrust

This setup will work fine. The explicit timerange in the base search would override the timerange you set for your saved search (the dispatch.*_time values), but it would get applied to subsearch.

View solution in original post