Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the best method to search for different time ranges for 4 different sourcetypes using earliest?

Avantika07
Observer
‎04-09-2021 04:09 AM

I'm creating a query using 4 sourcetypes and want to search across different timerange for them. 

For example:

| multisearch [search index=idx_A, sourcetype=a, earliest=-30d, latest=@d] [search index= idx_A, sourcetype=b, earliest=-24h@h] [[search index= idx_A, sourcetype=c, earliest=-24h@h] [[search index= idx_A, sourcetype=d, earliest=-24h@h]

I saw these two solutions but it didn't really helped for my case.

https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-earliest-twice-in-one-search/td-...

https://community.splunk.com/t5/Splunk-Search/How-to-search-for-two-source-types-each-in-different-t...

I've tried using both multisearch and join. 

Is there a way I can get entire results.

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-09-2021 05:01 AM

I am curious to know why multisearch wasn't helpful for you?

0 Karma
Reply

Avantika07
Observer
‎04-09-2021 07:22 AM

@ITWhisperer  I tried with   last 24 hours  as the range of time picker, but not getting all results. By giving last 30 days, it goes through entire data and takes a lot of time to process.

I'm confused on what should be the correct range of time picker

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-09-2021 07:48 AM

I have not tried multisearch myself, but looking at the posts you mentioned seems to imply that different time ranges should be applied to the different searches, over-riding whatever value is put in the timepicker. Having said that, I did notice that earliest/latest doesn't seem to be expanded for subsearches (you can look at the job inspector log to see this) and perhaps that is true for multi-searches too (this seems like a bug to me if I am reading the documentation correctly).

0 Karma
Reply

Avantika07
Observer
‎04-12-2021 05:09 AM

@ITWhisperer  But  time ranges specified in a subsearch should  apply to that subsearch right.

As per your explanation would the earliest/latest  won't expand with Join as well? In that case what do you suggest to use in this scenario?

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...