Hi community,   My forwarder is putting logs in index A before 2024/06/01, and in index B after this date. To avoid miss any data when searching, I have to have a query which searches both index. (index="A" "reports" "arts") OR (index="B" "reports" "arts") In this case, I believe if now I select "last 24 hours" in the time selector, the query will still search index A, which is unnecessary. I guess it would be more efficient if I can add a time limit in the first part, to limit the range of events. (earliest=-6mon latest="06/01/2024:00:00:00" index="A" "reports" "arts") OR (earliest="06/01/2024:00:00:00" index="B" "reports" "arts")   I expect Splunk would take an intersection of the two time ranges, but it doesn't. I noticed that adding these surprisingly slows down the query. The "earliest" and "latest" I added override the time selector. Even though I selected "last 24 hours", it returns events in the past 6 months of index A.   Again, my first query should give the correct result, but I'm still wondering if there's a way to improve the efficiency with the date 06/01. Any suggestions are appreciated! ... View more

Hi community,   I need to write a query which can adjust its search string based on event time. For example, if the event time is before 2024/01/01, events should include string "A" OR "B";   index="aws" sourcetype="dev" ("A" OR "B")   Else, events should include string "C" OR "D".     index="aws" sourcetype="dev" ("C" OR "D")       I have written this to get the search string, but have no idea how to make use of it.   index="aws" sourcetype="dev" | eval search_string=if(_time < strptime("2024-01-01", "%Y-%m-%d"), "(\"A\" OR \"B\")", "(\"C\" OR \"D\")") | search search_string     I've got a lot of help here, and really appreciate it! ... View more

Hi community, I have a dropdown for environments like DEV/CT/PROD, and saved it into a token `SDLC`. Now I would like to define another token `new_sdlc`. It's "ctpm" when `SDLC` is "pm"; Otherwise, it's the same value as `SDLC`. In the end, I found a way working but a bit stupid, simply because it seems "!=" is not allowed so I have to list all conditions. I've checked a few posts but didn't find a working and elegant way. I bet there is one. Looking forward to your help. Here is my code: <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="SDLC"> <label>SDLC</label> <choice value="prod">PROD</choice> <choice value="ct">CT</choice> <choice value="pm">PM</choice> <default>prod</default> <initialValue>prod</initialValue> <change> <condition label="CT"> <set token="new_sdlc">ct</set> </condition> <condition label="PM"> <set token="new_sdlc">ctpm</set> </condition> <condition label="PROD"> <set token="new_sdlc">prod</set> </condition> </change> </input> </fieldset> ... View more