Why are there Different results with "earliest" th...

ymcardinal · ‎06-30-2022

Hello,

I am running the following search via the API:

search index=juniper sourcetype=juniper:junos:firewall "3389"
| rex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?<src_port>\d{1,5})-\>(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?<dest_port>\d{1,5})"
| eval src_ip_class=if((cidrmatch("192.168.0.0/24",src_ip) OR cidrmatch("172.16.0.0/12",src_ip) OR cidrmatch("10.0.0.0/8",src_ip)),"private","public")
| where dest_port=3389 and src_ip_class="private"
| head 5

I am trying to run it in two ways:

With earliest=-90d in the first clause of the query (right after the "3389")
With earliest_time=2022-01-31T00:00:00.000Z and latest_time=2022-06-28T23:59:59.999Z that I am passing via the API

The first method returns many results while the second returns none.

When querying the search status, I am seeing a huge difference in the very first stage of the query:

"command.search": {
  "duration_secs": 21.298,
  "invocations": 111,
  "input_count": 0,
  "output_count": 266474
}

vs

"command.search": {
  "duration_secs": 2.329,
  "invocations": 52,
  "input_count": 0,
  "output_count": 98835
}

I have confirmed that the earliestTime and latestTime shown in the search status are correct. I have also checked for time skews between _time and indextime and have found none. Changing earliest_time to index_earliest also did not help.

What can account for this difference?

Why are there Different results with "earliest" than with "earliest_time" when searching via API?

search job inspector

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life