Splunk Search

How to use the same timerange for both the main search and subsearch in Splunk 6.3?

0range
Communicator

Is it possible to make exactly the same timerange for the search and the subsearch in Splunk 6.3?

For example a search:

sourcetype=a event=b NOT [search sourcetype=a event=b | fields eventId]

(eventId is unique for every event, for example)
returns some results in the end of the time window. So, Splunk doesn't find them from a subsearch, but found from the main search.

Any ideas?


Edited :

Latest&Earliest is a good idea, but what if I want to run a search on a schedule? The only latest I can imagine is "now" and it's the default one.

I can set latest=-1m in search and it will solve the problem, but it is a very bad solution.

Is there any other ideas?

0 Karma

gyslainlatsa
Motivator

you just use the same Earliest and latest in the sub-search and main search.

For more informations about earliest and latest, follow this link:

http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/SearchTimeModifiers

0 Karma

javiergn
Super Champion

Something quick and dirty but it works fine using "earliest" and "latest":

sourcetype=a event=b earliest=ABC latest=DEF NOT [search sourcetype=a event=b earliest=ABC latest=DEF| fields eventId]
0 Karma

javiergn
Super Champion

Hi,

I don't fully understand your comment above:

Latest&Earliest is a good idea, but if I want to run search on a schedule? the only latest I can imagine is "now" and it's the default one.

I can set latest=-1m in search and it will solved the problem, but it is a very bad solution.

Your latest and earliest will work in same way when you are running a scheduled search. If you don't specify latest it'll be the same as latest=now as you said before.

Just to give you an example, I ran certain scheduled searches every 15 minutes and I want them to run with that frequency so I round the seconds to the closest minute using @:

sourcetype=ABC earliest=-15m@m latest=@m [| searchsomethingelse earliest=-15m@m latest=@m]

Not sure if that answers your question though.

Another option is to return earliest and latest from your subsearch. For instance:

sourcetype=a event=b NOT [
    search sourcetype=a event=b earliest=ABC latest=DEF
    | rename _time AS earliest
    | eval latest=earliest + (60 * x)
    | fields eventId, earliest, latest
] 
0 Karma

marina_rovira
Contributor

Hi there, the subsearch, negating it, is the opposite of the search. It is right?
Because the, maybe is because of this it shows only the results from the search.

Maybe I'm miss understanding something, let me know if it's the case.

0 Karma

0range
Communicator

It shows only result from search, but the ara filtered due to subsearch conditions. And the filtering works wrong.

I want to implement an SQL code
select * from a
where event=b
and eventId not in
(select eventId from a where event=by)

in SPL. It looks like this
sourcetype=a event=b NOT [search sourcetype=a event=b | fields eventId]
but it is not EXACTLY the same.

0 Karma

marina_rovira
Contributor

I'm just trying to get a good answer for you here, but ÇI don't know if I'm right.

Can you try this and tell if it works? I want to advise you that maybe I didn't get the consult yet, but I'm trying.

sourcetype=a event!=by | join type=left eventId [search sourcetype=a event=b]

just notice that in the sql code you wrote event=by in () and in the splunk search event=b in [], so I just change the splunk part code for this part and wrote event!=by

If I missing something just answer again and I will keep trying 😉

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...