- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use earliest twice in one search (subsearch...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to use earliest twice in one search (subsearch)?
I want to do something like this:
index=* sourcetype=files (earliest="1459455814.788302" filename=hello.exe) OR (earliest="1459458924.655748" filename=test.exe)
According to this, it should work: https://answers.splunk.com/answers/153336/is-it-possible-to-use-earliest-twice-in-one-search.html . However, it is not working. It only returns results that match whatever section in parenthesis comes first in the query. I can run both of those things in parenthesis separately and get the correct results, but when I run them together I only get one result.
Anyone know what's going on?
If you're wondering why I don't just run them by themselves, it's because I'm actually forming these queries from a subsearch and it will have hundreds of these parentheses.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I seem to have found the issue myself. You can only use "earliest" more than once in a query like this if you only specify one index. I was using a *.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm ok. I'll post specifics later when I have time. For me, the fix is definitely supplying only one index at a time, but I am using a subsearch and sticking indexes inside of each subsearch result as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay... Your provided search in the question does not contain any subsearches. So this really needs to changed and please provide as much of information as you can, like the complete search string you used 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry thisissplunk,
But this is not correct as you can see with this run everywhere search:
index=_internal OR index=_audit (sourcetype=splunkd_access earliest=-14d@d) OR (sourcetype=audit* earliest=-30d@d) earliest=-30d@d latest=now | timechart span=d count by sourcetype
Which will perfectly search both indexes and returns events from index=_audit over the last 30 days and from index=_internal only for the last 14 days.
Sadly I cannot upload an image into a comment, but it works. There must be something else wrong in your case.
Please mark this as not to be an answer, because this will mislead others - thanks.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, what is the time range you're running the search ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm running it over All Time.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
