Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why are the time modifiers not working for union command?

SShalaka
Engager
‎07-26-2022 04:30 PM

Hello everyone, 

The time modifiers don't seem seem to work for this search, am I doing something wrong? 

|union
[search query.. earliest=-15m@m latest=now
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total1]
[search query.. earliest=-15m latest=now
|join type=inner x[query..]
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total2]
[search query.. earliest=-1d-15m@m latest=-1d
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total3]
[search query.. earliest=-1d-15m@m latest=-1d
join type=inner x[query..]
|join type=inner x[query..]
|join type=inner x[query..]
|dedup x
|stats count(x) as total4]


|stats sum(total1) as eval1, sum(total2) as eval2, sum(total3) as eval3, sum(total4) as eval4
|eval y1=eval1-eval2
|eval y2=eval3-eval4
|eval z1=round((y1/eval1)*100, 2)
|eval z1=round((y2/eval3)*100, 2)
|table eval1, eval2, eval3, eval4, y1, y2, z1, z2

 

The sub searches with time modifiers in bold do not work and results in 0s in the output table. However, if i change the bold time modifiers to earliest=-15m@m latest=now, it works fine, but give me the same result of the fisrt 2 sub searches. Unsure as to why this is happening. 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-26-2022 05:09 PM

In principle, things seem ok, but you are using many joins, so one possibility is that your data set size is complicating things. joins are not really the Splunk way of doing things and you can generally achieve the same outcome using stats. join will have limitations, particularly with the data size of the join set. Also subsearches have a limited run time.

Given that you have 10 joins, it could be related to that. How long does the search take to run?

If you shorten the range of the 3rd and 4th time, to a few seconds, but still -1d does that change the result?

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...