Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are there Different results with "earliest" than with "earliest_time" when searching via API?

ymcardinal
New Member
‎06-30-2022 12:04 AM

Hello,

I am running the following search via the API:

search index=juniper sourcetype=juniper:junos:firewall "3389"
| rex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?<src_port>\d{1,5})-\>(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/(?<dest_port>\d{1,5})"
| eval src_ip_class=if((cidrmatch("192.168.0.0/24",src_ip) OR cidrmatch("172.16.0.0/12",src_ip) OR cidrmatch("10.0.0.0/8",src_ip)),"private","public")
| where dest_port=3389 and src_ip_class="private"
| head 5 

 

I am trying to run it in two ways:

  • With earliest=-90d in the first clause of the query (right after the "3389")
  • With earliest_time=2022-01-31T00:00:00.000Z and latest_time=2022-06-28T23:59:59.999Z that I am passing via the API

The first method returns many results while the second returns none.

 

When querying the search status, I am seeing a huge difference in the very first stage of the query:

"command.search": {
  "duration_secs": 21.298,
  "invocations": 111,
  "input_count": 0,
  "output_count": 266474
}

 vs

"command.search": {
  "duration_secs": 2.329,
  "invocations": 52,
  "input_count": 0,
  "output_count": 98835
}

 

I have confirmed that the earliestTime and latestTime shown in the search status are correct. I have also checked for time skews between _time and indextime and have found none. Changing earliest_time to index_earliest also did not help.

What can account for this difference?

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...