Splunk Search

Time range not substituted by search

coreyCLI
Path Finder

We have a SHC at version 8.1.3.  When we try to use "earliest" and "latest" in search we get results based on the earliest and latest however, its search events based on the time picker.  IE - If I create a search "index=main earliest=-15m latest=now" and the time picker is set to "24hours", the search will search all the events from the past 24 hours yet only display the results for the last 15 minutes.  If I test this same search outside of our SHC, on a standalone instance and use the "-15m" in search I get back the last minutes of events however I am ONLY search the last 15 minutes of events.  The search does not care about what is selected in the time picker.  As well, in the job inspector I see the "Your time range was substituted based on your search string" message as I would expect.  In the SHC cluster, I do not see this message.  

To add to the weirdness.  If I include a sourcetype in my search "index=main  sourcetype=stuff earliest=-15m latest=now" It works as expected and I see the message about substituting the timerage in the job inspector.  However, If I include more then one sourcetype, then it does NOT substitute the timerange.

Labels (1)
0 Karma
1 Solution

coreyCLI
Path Finder

For anyone interested.  I found an alias someone create using _time.  "FIELDALIAS-ts = ts as _time".  Once removed, all was working as it should.

View solution in original post

0 Karma

coreyCLI
Path Finder

For anyone interested.  I found an alias someone create using _time.  "FIELDALIAS-ts = ts as _time".  Once removed, all was working as it should.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...