Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to use subsearch with different date time?

sfatnass
Contributor
‎11-09-2016 05:13 AM

hi i try to perform a subsearch using join type=left between two index.

first my indexs are configured like this :

[index_name1]
vix.input.1.path = /toto/pathtoindex/firstindex/...
vix.provider = p_hdfs_test
vix.input.1.et.format = yyyyMMdd
vix.input.1.et.regex = /toto/pathtoindex/firstindex/(\d+)
vix.input.1.lt.format = yyyyMMdd
vix.input.1.lt.offset = 86400
vix.input.1.lt.regex = /toto/pathtoindex/firstindex/(\d+)

the second index contain the same configuration.

my search used with only one date using the timerange by defaut on splunk.

the second index used with the same statement but on (-1d then the first index)

now i tryed for exemple this request :

index=index_name1 |fields toto titi |join type=left toto [|search index=index_name2 |fields + toto tata] |table toto titi tata

the time range is based for the first index
but the second one need to change the date time to get the correct results.
i tryed someting using gentimes but unsuccessful.

can any body help?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sk314
Builder
‎11-09-2016 01:31 PM

have you tried specifying the time in the second search using earliest= and latest= like so:

index=index_name1 |fields toto titi |join type=left toto [search earliest=-2d latest=-1d index=index_name2 |fields + toto tata] |table toto titi tata

For reference: https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/SearchTimeModifiers

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sk314
Builder
‎11-09-2016 01:31 PM

have you tried specifying the time in the second search using earliest= and latest= like so:

index=index_name1 |fields toto titi |join type=left toto [search earliest=-2d latest=-1d index=index_name2 |fields + toto tata] |table toto titi tata

For reference: https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/SearchTimeModifiers

0 Karma
Reply
Solved! Jump to solution

sfatnass
Contributor
‎11-10-2016 02:16 AM

it works perfectly, i not tried earliest=-2d

thx

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...