I am using sub search in my dashboard. Sub search use time defiend in main search query, however I want to use different earliest time in sub search. The resason is mail search query is getting the data from longer time duration and In sub search I want to create a time chart with lesser duration.
Just wondering if any way to override the time in subsearch.
<search id="globalSearch"> <query>main search</query> <earliest>0</earliest> <latest>now</latest> </search> <search base="globalSearch"> <query>sub search</query> <earliest>-4hrs</earliest> <latest>now</latest> </search>
You can't use XML to define earliest/latest to use in a post-process search, but you could do this in the search string defined in the post-process search:
<post-process search string> | eval post_earliest=relative_time(now(), "-4h") | where _time>=post_earliest
Edited because the previous version was nonsense.
Thank you but that doen't work for me. I am creating the timechart in subsearch , and specifying earliest time in search query not considered in timechart. 😞
Oops, my previous search was garbage based on what you were looking for. Check out the edited version to see if it's better.
I already tried these scenario. the problem is that timechart use full time to display 4 hrs data.
I guess it can be solved only if we are able to define earliest time in xml.
I am looking for workaround for same problem defined in another post