Splunk Search

Why are the time modifiers not working for union command?

SShalaka
Engager

Hello everyone, 

The time modifiers don't seem seem to work for this search, am I doing something wrong? 

|union
[search query.. earliest=-15m@m latest=now
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total1]
[search query.. earliest=-15m latest=now
|join type=inner x[query..]
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total2]
[search query.. earliest=-1d-15m@m latest=-1d
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total3]
[search query.. earliest=-1d-15m@m latest=-1d
join type=inner x[query..]
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total4]


|stats sum(total1) as eval1, sum(total2) as eval2, sum(total3) as eval3, sum(total4) as eval4
|eval y1=eval1-eval2
|eval y2=eval3-eval4
|eval z1=round((y1/eval1)*100, 2)
|eval z1=round((y2/eval3)*100, 2)
|table eval1, eval2, eval3, eval4, y1, y2, z1, z2

 

The sub searches with time modifiers in bold do not work and results in 0s in the output table. However, if i change the bold time modifiers to earliest=-15m@m latest=now, it works fine, but give me the same result of the fisrt 2 sub searches. Unsure as to why this is happening. 

Labels (2)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

In principle, things seem ok, but you are using many joins, so one possibility is that your data set size is complicating things. joins are not really the Splunk way of doing things and you can generally achieve the same outcome using stats. join will have limitations, particularly with the data size of the join set. Also subsearches have a limited run time.

Given that you have 10 joins, it could be related to that. How long does the search take to run?

If you shorten the range of the 3rd and 4th time, to a few seconds, but still -1d does that change the result?

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...