Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use earliest twice in one search (subsearch)?

thisissplunk
Builder
‎03-31-2016 03:59 PM

I want to do something like this:

index=* sourcetype=files (earliest="1459455814.788302" filename=hello.exe) OR (earliest="1459458924.655748" filename=test.exe)

According to this, it should work: https://answers.splunk.com/answers/153336/is-it-possible-to-use-earliest-twice-in-one-search.html . However, it is not working. It only returns results that match whatever section in parenthesis comes first in the query. I can run both of those things in parenthesis separately and get the correct results, but when I run them together I only get one result.

Anyone know what's going on?

If you're wondering why I don't just run them by themselves, it's because I'm actually forming these queries from a subsearch and it will have hundreds of these parentheses.

0 Karma
Reply

thisissplunk
Builder
‎03-31-2016 04:12 PM

I seem to have found the issue myself. You can only use "earliest" more than once in a query like this if you only specify one index. I was using a *.

0 Karma
Reply

thisissplunk
Builder
‎04-01-2016 10:28 AM

Hmm ok. I'll post specifics later when I have time. For me, the fix is definitely supplying only one index at a time, but I am using a subsearch and sticking indexes inside of each subsearch result as well.

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎04-28-2016 06:56 PM

Okay... Your provided search in the question does not contain any subsearches. So this really needs to changed and please provide as much of information as you can, like the complete search string you used 😉

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎03-31-2016 05:10 PM

Sorry thisissplunk,

But this is not correct as you can see with this run everywhere search:

index=_internal OR index=_audit (sourcetype=splunkd_access earliest=-14d@d) OR (sourcetype=audit* earliest=-30d@d) earliest=-30d@d latest=now | timechart span=d count by sourcetype

Which will perfectly search both indexes and returns events from index=_audit over the last 30 days and from index=_internal only for the last 14 days.

Sadly I cannot upload an image into a comment, but it works. There must be something else wrong in your case.

Please mark this as not to be an answer, because this will mislead others - thanks.

cheers, MuS

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎03-31-2016 04:10 PM

So, what is the time range you're running the search ?

0 Karma
Reply

thisissplunk
Builder
‎03-31-2016 04:35 PM

I'm running it over All Time.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...