Solved: Different time-frames for different indices/parts ...

dkotowsk · ‎01-30-2018

Is it possible to use different timeframes with different indices? For example:

(index=index_a earliest="30/01/18:00:00:00" latest="30/01/18:00:05:00") OR (index=index_b earliest="30/01/18:10:00:00" latest="30/01/18:10:05:00")) dest_ip="10.0.0.1"

What is the right way to do this?

niketn · ‎01-30-2018

@dkotowsk, I would say using append, but there is sub-search limitation applicable.

index=index_a earliest="30/01/18:00:00:00" latest="30/01/18:00:05:00" dest_ip="10.0.0.1"
| append [search index=index_b earliest="30/01/18:10:00:00" latest="30/01/18:10:05:00" dest_ip="10.0.0.1"]

Once you have data from two base searches what is it that you need to perform?

See if you can use multisearch instead of append.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎01-30-2018

@dkotowsk, I would say using append, but there is sub-search limitation applicable.

index=index_a earliest="30/01/18:00:00:00" latest="30/01/18:00:05:00" dest_ip="10.0.0.1"
| append [search index=index_b earliest="30/01/18:10:00:00" latest="30/01/18:10:05:00" dest_ip="10.0.0.1"]

Once you have data from two base searches what is it that you need to perform?

See if you can use multisearch instead of append.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Different time-frames for different indices/parts of a search?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?