Splunk Search

Why are there Different results with "earliest" than with "earliest_time" when searching via API?

ymcardinal
New Member

Hello,

I am running the following search via the API:

search index=juniper sourcetype=juniper:junos:firewall "3389"
| rex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?<src_port>\d{1,5})-\>(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?<dest_port>\d{1,5})"
| eval src_ip_class=if((cidrmatch("192.168.0.0/24",src_ip) OR cidrmatch("172.16.0.0/12",src_ip) OR cidrmatch("10.0.0.0/8",src_ip)),"private","public")
| where dest_port=3389 and src_ip_class="private"
| head 5 

 

I am trying to run it in two ways:

  • With earliest=-90d in the first clause of the query (right after the "3389")
  • With earliest_time=2022-01-31T00:00:00.000Z and latest_time=2022-06-28T23:59:59.999Z that I am passing via the API

The first method returns many results while the second returns none.

 

When querying the search status, I am seeing a huge difference in the very first stage of the query:

"command.search": {
"duration_secs": 21.298,
"invocations": 111,
"input_count": 0,
"output_count": 266474
}

 vs

"command.search": {
"duration_secs": 2.329,
"invocations": 52,
"input_count": 0,
"output_count": 98835
}

 

I have confirmed that the earliestTime and latestTime shown in the search status are correct. I have also checked for time skews between _time and indextime and have found none. Changing earliest_time to index_earliest also did not help.

What can account for this difference?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...