Solved: Time modifiers in second search after pipe

adamguzek · ‎05-08-2014

On data with recent timestamps I do search:

index=test * | search earliest="1/1/1990:20:00:00"

No results found, but I was expecting all my events.

Yes I do need this timemodifier in my second search I want to narrow time appending search one after another...

Ayn · ‎05-08-2014

First of all, that's no subsearch, that's just a second search further along the main search pipeline.

Anyway, specifying earliest is only supported in the base search. If you do

index=test earliest="1/1/1990:20:00:00"

you should be getting all your events after the specified time (as long as your time string is correctly formatted, which I admin I haven't checked).

View solution in original post

Ayn · ‎05-08-2014

First of all, that's no subsearch, that's just a second search further along the main search pipeline.

Anyway, specifying earliest is only supported in the base search. If you do

index=test earliest="1/1/1990:20:00:00"

you should be getting all your events after the specified time (as long as your time string is correctly formatted, which I admin I haven't checked).

martin_mueller · ‎05-08-2014

Time modifiers such as earliest only make sense in the first instance of search where events are loaded. Afterwards, you can still do filtering like this:

index=test | some magic stuff | where _time > relative_time(now(), "-10y")
index=test | some magic stuff | where _time > strptime("1990-01-01T20:00:00", "%FT%T")

adamguzek · ‎05-08-2014

Can I use other time modifiers in second search - is it only earliest/latest problematic?

Time modifiers in second search after pipe

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All