Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I not receiving results for different time ranges in a subsearch and main search?

chrkohm
Path Finder
‎02-08-2022 08:15 AM

Hello!

I'm struggling with the time ranges within my query.

I have two indexes (anonymized)  

index=documentation contains the information which element is mounted in a device.
 
index= eor contains events for devices

 

Now I'm trying to search only for events in the index=eor for devices that contain the element=COB for the last xx time range

So I tried to set the time range for the sub search like this:

index=eor name IN (*) status IN (*)
[ search indexdocumentation earliest=1 latest=now()
     | search element = COB
     | table devices
]
| table a, b, c, d
 
But I'm getting no results.
 
If I set the time picker let's say to a time range, there are the last events in the documentation index, I'm getting results...
 
Greetings
Chris
Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-08-2022 08:20 AM

Hi @chrkohm,

no parenthesis in now:

index=eor name IN (*) status IN (*)
[ search index= documentation earliest=1 latest=now element = COB
     | table devices
]
| table a, b, c, d

In addition, you don't need to have a search and the search for another parameter, you search is slower!

Ciao.

Giuseppe

0 Karma
Reply

chrkohm
Path Finder
‎02-09-2022 04:56 AM

Hi @gcusello,

 

thanks for your quick answer!

I removed the parenthesis but that dosen´t change anything. Still no results.

I shrieked the example extreamly down. So it looks like the actual two searches dosen´t make any sense.

But I use the subsearch to identify the devices that have a specific element mountet and than I like to search only with this devices in an other index for other results.

 

Greetings

Chris

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-09-2022 05:57 AM

If a search as a whole isn't working, cut and split it into smaller parts and see if they work alone. Then add other elements and see when they stop working.

So if you have a search containing subsearch, check the subsearch on its own first.

search index= documentation earliest=1 latest=now element = COB
| table devices

Does this search return anything?

BTW, don't you rather mean something like

earliest=-1h

If you want "earliest=1" you're trying to search from 1970, or effectively througout your whole index. Which means that the search will probably get too big and too long and will get terminated early, giving you bad results and possibly no results at all.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-09-2022 05:29 AM

Hi @chrkohm,

please try this:

index=eor name=* status=*
[ search index=documentation earliest=1 latest=now element=COB
     | table devices
]
| table a b c d

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...