Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are the time modifiers not working for union command?

SShalaka
Engager
‎07-26-2022 04:30 PM

Hello everyone, 

The time modifiers don't seem seem to work for this search, am I doing something wrong? 

|union
[search query.. earliest=-15m@m latest=now
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total1]
[search query.. earliest=-15m latest=now
|join type=inner x[query..]
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total2]
[search query.. earliest=-1d-15m@m latest=-1d
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total3]
[search query.. earliest=-1d-15m@m latest=-1d
join type=inner x[query..]
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total4]


|stats sum(total1) as eval1, sum(total2) as eval2, sum(total3) as eval3, sum(total4) as eval4
|eval y1=eval1-eval2
|eval y2=eval3-eval4
|eval z1=round((y1/eval1)*100, 2)
|eval z1=round((y2/eval3)*100, 2)
|table eval1, eval2, eval3, eval4, y1, y2, z1, z2

 

The sub searches with time modifiers in bold do not work and results in 0s in the output table. However, if i change the bold time modifiers to earliest=-15m@m latest=now, it works fine, but give me the same result of the fisrt 2 sub searches. Unsure as to why this is happening. 

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-26-2022 05:09 PM

In principle, things seem ok, but you are using many joins, so one possibility is that your data set size is complicating things. joins are not really the Splunk way of doing things and you can generally achieve the same outcome using stats. join will have limitations, particularly with the data size of the join set. Also subsearches have a limited run time.

Given that you have 10 joins, it could be related to that. How long does the search take to run?

If you shorten the range of the 3rd and 4th time, to a few seconds, but still -1d does that change the result?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...