Splunk Search

Splunk 7.2 Tstats, Addinfo, and Earliest/Latest Bug?



I've recently upgraded a test server of mine from 6.x.x to 7.2.x to find a weird bug and I'm wondering if anyone else is having a similar issue. The following scenario works just fine in 6 but doesn't work in 7. I have a tstats command that requires earliest/latest parameters, then pipes to an addinfo command, but I think I'm getting two different results. It appears that I only get events within the earliest/latest limits, but the addinfo command returns the time picker's earliest/latest limits regardless of time parameters.

Another part I'm finding peculiar is if I don't use tstats and I just do a normal index="my_index" search, everything seems to work as I intended. To put it in a pseudo-code context, I have two searches with the time picker set to last 30 days:

A: | tstats sum(base.purchase) from datamodel=MyDataModel.base where earliest=-7d latest=@d | addinfo

B: index=my_index earliest=-7d latest=@d | stats sum(purchase) | addinfo

Search A and B will both give me a sum of all purchases within the last week, but search A will set the info_min_time value to be the epoch time of 30 days ago (time picker value) while search B will set the info_min_time value to be the epoch time of 7 days ago (the searches earliest parameter).

Has anyone else run into this problem or been able to replicate similar results? Some of the searches I'm running are using a combination of the tstats/earliest/latest/addinfo commands and I'd like to avoid switching from tstats for as long as possible.

James M.

Esteemed Legend

Please add the bug tag.

0 Karma


Hi @jamesmoriarty,

Same issue with Splunk 7.1.2 compared to 6.5.X

0 Karma


It looks like bug, I'd suggest to open case with splunk.

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...