Hello, I just have a question regarding subsearches and the time range picker. I am trying to run a subsearch that will look back one month to find account numbers to compare against, however I am getting mixed results.
My problem is that the current/main search runs with a time range of last 15 minutes, and my subsearch contains the below to look back one month (just an example, I know data is available to test 1 day back), but I am getting no results back:
index=test [search index=test earliest=-1mon latest=@d | table account | format account]
The only time I get results back is if I increase the main searches time range. I feel like I might be missing something here, but the documentation does say you can set inline time modifiers in both main searches and subsearches, but does not mention if the time range picker needs to be a value greater or equal too the inline modifier.
My goal: Perform a look back on all of the accounts created last month up until the start of the current day (midnight), and if the account shows in my main search, do not fire an alert. I need this look back in order to perform this comparison, if any other suggestions are recommended please advise.
... View more