Splunk Search

Why are the time modifiers not working for union command?

SShalaka
Engager

Hello everyone, 

The time modifiers don't seem seem to work for this search, am I doing something wrong? 

|union
[search query.. earliest=-15m@m latest=now
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total1]
[search query.. earliest=-15m latest=now
|join type=inner x[query..]
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total2]
[search query.. earliest=-1d-15m@m latest=-1d
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total3]
[search query.. earliest=-1d-15m@m latest=-1d
join type=inner x[query..]
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total4]


|stats sum(total1) as eval1, sum(total2) as eval2, sum(total3) as eval3, sum(total4) as eval4
|eval y1=eval1-eval2
|eval y2=eval3-eval4
|eval z1=round((y1/eval1)*100, 2)
|eval z1=round((y2/eval3)*100, 2)
|table eval1, eval2, eval3, eval4, y1, y2, z1, z2

 

The sub searches with time modifiers in bold do not work and results in 0s in the output table. However, if i change the bold time modifiers to earliest=-15m@m latest=now, it works fine, but give me the same result of the fisrt 2 sub searches. Unsure as to why this is happening. 

Labels (2)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

In principle, things seem ok, but you are using many joins, so one possibility is that your data set size is complicating things. joins are not really the Splunk way of doing things and you can generally achieve the same outcome using stats. join will have limitations, particularly with the data size of the join set. Also subsearches have a limited run time.

Given that you have 10 joins, it could be related to that. How long does the search take to run?

If you shorten the range of the 3rd and 4th time, to a few seconds, but still -1d does that change the result?

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...