Splunk Search

How to use the same timerange for both the main search and subsearch in Splunk 6.3?


Is it possible to make exactly the same timerange for the search and the subsearch in Splunk 6.3?

For example a search:

sourcetype=a event=b NOT [search sourcetype=a event=b | fields eventId]

(eventId is unique for every event, for example)
returns some results in the end of the time window. So, Splunk doesn't find them from a subsearch, but found from the main search.

Any ideas?

Edited :

Latest&Earliest is a good idea, but what if I want to run a search on a schedule? The only latest I can imagine is "now" and it's the default one.

I can set latest=-1m in search and it will solve the problem, but it is a very bad solution.

Is there any other ideas?

0 Karma


you just use the same Earliest and latest in the sub-search and main search.

For more informations about earliest and latest, follow this link:


0 Karma


Something quick and dirty but it works fine using "earliest" and "latest":

sourcetype=a event=b earliest=ABC latest=DEF NOT [search sourcetype=a event=b earliest=ABC latest=DEF| fields eventId]
0 Karma



I don't fully understand your comment above:

Latest&Earliest is a good idea, but if I want to run search on a schedule? the only latest I can imagine is "now" and it's the default one.

I can set latest=-1m in search and it will solved the problem, but it is a very bad solution.

Your latest and earliest will work in same way when you are running a scheduled search. If you don't specify latest it'll be the same as latest=now as you said before.

Just to give you an example, I ran certain scheduled searches every 15 minutes and I want them to run with that frequency so I round the seconds to the closest minute using @:

sourcetype=ABC earliest=-15m@m latest=@m [| searchsomethingelse earliest=-15m@m latest=@m]

Not sure if that answers your question though.

Another option is to return earliest and latest from your subsearch. For instance:

sourcetype=a event=b NOT [
    search sourcetype=a event=b earliest=ABC latest=DEF
    | rename _time AS earliest
    | eval latest=earliest + (60 * x)
    | fields eventId, earliest, latest
0 Karma


Hi there, the subsearch, negating it, is the opposite of the search. It is right?
Because the, maybe is because of this it shows only the results from the search.

Maybe I'm miss understanding something, let me know if it's the case.

0 Karma


It shows only result from search, but the ara filtered due to subsearch conditions. And the filtering works wrong.

I want to implement an SQL code
select * from a
where event=b
and eventId not in
(select eventId from a where event=by)

in SPL. It looks like this
sourcetype=a event=b NOT [search sourcetype=a event=b | fields eventId]
but it is not EXACTLY the same.

0 Karma


I'm just trying to get a good answer for you here, but ÇI don't know if I'm right.

Can you try this and tell if it works? I want to advise you that maybe I didn't get the consult yet, but I'm trying.

sourcetype=a event!=by | join type=left eventId [search sourcetype=a event=b]

just notice that in the sql code you wrote event=by in () and in the splunk search event=b in [], so I just change the splunk part code for this part and wrote event!=by

If I missing something just answer again and I will keep trying 😉

0 Karma
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out >> Kudos to all the ...