Solved: Re: search in saved search result

ryastrebov · ‎04-16-2013

Hello!
I have saved search for 8 days. I need upload search result to csv-file for several days. One day - one csv. I use loadjob command for get result of my savedsearch and I select a time interval of 1 day. But I get all result from my savedsearch. Why? How do I select the results of the data for each day?

jonuwz · ‎04-16-2013

Because when you use a timerangepicker, it tells the indexers what timerange to grab off the disks.

When you do a loadjob, it can't limit the search in that way, so all the data is returned.

If _time is saved in your saved search you can do something like :

... | where _time >= strptime("2013-01-30","%Y-%m-%d") AND _time < strptime("2013-01-31","%Y-%m-%d")

or, if you want to be relative ...

... | where _time >= relative_time(now(),"-3d@d")  AND _time < relative_time(now(),"-2d@d")

View solution in original post

jonuwz · ‎04-16-2013

Because when you use a timerangepicker, it tells the indexers what timerange to grab off the disks.

When you do a loadjob, it can't limit the search in that way, so all the data is returned.

If _time is saved in your saved search you can do something like :

... | where _time >= strptime("2013-01-30","%Y-%m-%d") AND _time < strptime("2013-01-31","%Y-%m-%d")

or, if you want to be relative ...

... | where _time >= relative_time(now(),"-3d@d")  AND _time < relative_time(now(),"-2d@d")

ryastrebov · ‎04-16-2013

Thank you!

search in saved search result

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM