Re: Is it possible to override the earliest and la...

AKG1_old1 · ‎11-22-2017

Hi,

I am using sub search in my dashboard. Sub search use time defiend in main search query, however I want to use different earliest time in sub search. The resason is mail search query is getting the data from longer time duration and In sub search I want to create a time chart with lesser duration.

Just wondering if any way to override the time in subsearch.

<search id="globalSearch">
    <query>main search</query>
    <earliest>0</earliest>
    <latest>now</latest>
  </search>

<search base="globalSearch">
    <query>sub search</query>
    <earliest>-4hrs</earliest>
    <latest>now</latest>
  </search>

Thanks

micahkemp · ‎11-22-2017

You can't use XML to define earliest/latest to use in a post-process search, but you could do this in the search string defined in the post-process search:

<post-process search string>
| eval post_earliest=relative_time(now(), "-4h")
| where _time>=post_earliest

Edited because the previous version was nonsense.

AKG1_old1 · ‎11-22-2017

Thank you but that doen't work for me. I am creating the timechart in subsearch , and specifying earliest time in search query not considered in timechart. 😞

micahkemp · ‎11-22-2017

Oops, my previous search was garbage based on what you were looking for. Check out the edited version to see if it's better.

AKG1_old1 · ‎11-22-2017

I already tried these scenario. the problem is that timechart use full time to display 4 hrs data.

I guess it can be solved only if we are able to define earliest time in xml.

I am looking for workaround for same problem defined in another post

https://answers.splunk.com/answers/593000/after-eval-time-time-chart-is-not-considering-upda.html?mi...

Is it possible to override the earliest and latest time in subsearch ?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms