Is it possible to make exactly the same timerange for the search and the subsearch in Splunk 6.3?
For example a search:
sourcetype=a event=b NOT [search sourcetype=a event=b | fields eventId]
(eventId is unique for every event, for example)
returns some results in the end of the time window. So, Splunk doesn't find them from a subsearch, but found from the main search.
Any ideas?
Edited :
Latest&Earliest is a good idea, but what if I want to run a search on a schedule? The only latest I can imagine is "now" and it's the default one.
I can set latest=-1m
in search and it will solve the problem, but it is a very bad solution.
Is there any other ideas?
you just use the same Earliest
and latest
in the sub-search and main search.
For more informations about earliest and latest, follow this link:
http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/SearchTimeModifiers
Something quick and dirty but it works fine using "earliest" and "latest":
sourcetype=a event=b earliest=ABC latest=DEF NOT [search sourcetype=a event=b earliest=ABC latest=DEF| fields eventId]
Hi,
I don't fully understand your comment above:
Latest&Earliest is a good idea, but if I want to run search on a schedule? the only latest I can imagine is "now" and it's the default one.
I can set latest=-1m in search and it will solved the problem, but it is a very bad solution.
Your latest and earliest will work in same way when you are running a scheduled search. If you don't specify latest it'll be the same as latest=now as you said before.
Just to give you an example, I ran certain scheduled searches every 15 minutes and I want them to run with that frequency so I round the seconds to the closest minute using @:
sourcetype=ABC earliest=-15m@m latest=@m [| searchsomethingelse earliest=-15m@m latest=@m]
Not sure if that answers your question though.
Another option is to return earliest and latest from your subsearch. For instance:
sourcetype=a event=b NOT [
search sourcetype=a event=b earliest=ABC latest=DEF
| rename _time AS earliest
| eval latest=earliest + (60 * x)
| fields eventId, earliest, latest
]
Hi there, the subsearch, negating it, is the opposite of the search. It is right?
Because the, maybe is because of this it shows only the results from the search.
Maybe I'm miss understanding something, let me know if it's the case.
It shows only result from search, but the ara filtered due to subsearch conditions. And the filtering works wrong.
I want to implement an SQL code
select * from a
where event=b
and eventId not in
(select eventId from a where event=by)
in SPL. It looks like this
sourcetype=a event=b NOT [search sourcetype=a event=b | fields eventId]
but it is not EXACTLY the same.
I'm just trying to get a good answer for you here, but ÇI don't know if I'm right.
Can you try this and tell if it works? I want to advise you that maybe I didn't get the consult yet, but I'm trying.
sourcetype=a event!=by | join type=left eventId [search sourcetype=a event=b]
just notice that in the sql code you wrote event=by in () and in the splunk search event=b in [], so I just change the splunk part code for this part and wrote event!=by
If I missing something just answer again and I will keep trying 😉