Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search using multiple earliest latest

rdownie
Communicator
‎08-21-2013 04:56 AM

Can someone tell me why this search returns data:


index=cnr-dhcp ( ( earliest="1377036255" latest="1377082255" leased_ip="10.149.16.13" )) | rex "Lease\sgranted|renewed\sto\sHost:\s'(?P.+)'\sCID:" | transaction lease keepevicted=true | table _time, lease


And this search which includes the above condition does not?


index=cnr-dhcp (( earliest="1377036806" latest="1377082806" leased_ip="172.31.56.158" ) OR ( earliest="1377036255" latest="1377082255" leased_ip="10.149.16.13" )) | rex "Lease\sgranted|renewed\sto\sHost:\s'(?P.+)'\sCID:" | transaction lease keepevicted=true | table _time, lease


Both sides of the OR should return data. Can you not "OR" earliest and latest?
Thanks,
-Bob

Tags (2)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎08-29-2014 06:44 AM

Hi rdownie,

now it looks like this is possible, at least in Splunk 6.1.2 it works. See this answer http://answers.splunk.com/answers/153336/using-earliest-twice-in-one-search

cheers, MuS

Reply

kristian_kolb
Ultra Champion
‎08-21-2013 05:36 AM

It seems not. Since the element of time is such a fundamental parameter in regards to how data is stored and retrieved (unlike fields inside an event, e.g. usernames or ip-addresses), this might very well be a restriction that cannot be overcome in the way you try to.

Effectively you want to perform two different searches, and I suggest that you try to structure you query as such. Something along the lines of;

index=cnr-dhcp earliest=X latest=Y leased_ip=a.b.c.d 
| append [search index=cnr-dhcp earliest=Z latest=Q leased_ip=e.f.g.h ]
| ...

Hope this helps,

K

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...