Splunk Search

Applying time modifier (earliest and latest) to multiple search?

yuwtennis
Communicator

Hi!

Is it possible to do something like below possible?

If I have 5 searches ,

search A
search B
search C
search D
search E

and specify time modifier , for example , as earliest=-2d@d latest=-1d@d ,
Is it possible to apply the time modifier to all search at once and join them?

So my image is,

earliest=-2d@d latest=-1d@d
| join [ search search A]
| join [ search search B]
| join [ search search C]
| join [ search search D]
| join [ search search E]

I want to put the time modifier as input of join for each search.

Thanks,
Yu

Tags (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

IF you're using this query in search screen, the value you selected in timerangepicker applies to all the searches,including subsearches. So you dont have to specify explicitly in each search/subsearch. You can directly use.(by the way, join should be done with some common field. As you are saying all searches have different fields, join will not work, consider append):

search A | join [ search search B] | join [ search search C] | join [ search search D] | join [ search search E]

The same is applicable with dashboards. You add a timerangepicker in your dashboard and have your search nested/attached to it so that the all search will use value from timerangepicker.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

IF you're using this query in search screen, the value you selected in timerangepicker applies to all the searches,including subsearches. So you dont have to specify explicitly in each search/subsearch. You can directly use.(by the way, join should be done with some common field. As you are saying all searches have different fields, join will not work, consider append):

search A | join [ search search B] | join [ search search C] | join [ search search D] | join [ search search E]

The same is applicable with dashboards. You add a timerangepicker in your dashboard and have your search nested/attached to it so that the all search will use value from timerangepicker.

kristian_kolb
Ultra Champion

Are you sure that you want to use join? As for the timing, I think that since subsearches run before the main search, you should specify the timing in each search. Otherwise it would probably use some default value ("all time"?), which might not be very good in combination with join...

0 Karma

kristian_kolb
Ultra Champion

My point was more that join is an expensive operation, computation wise. Perhaps you can reach the same results with transaction or stats. But it all depends on what your data looks like, and what you want out of it.

I believe that if you run the search interactively, all searches and subsearches will use the time limits yu setin the drop-down 'time picker' menu, unless you specify different.

/k

0 Karma

yuwtennis
Communicator

Hello Kristian.

Thank you for the reply.
What I wanted to do was pass the same time modifier to all the search and join the results.
All the search has same number of rows but different fields.

So is it possible to pass the same time modifier to all the searches?

Thanks,
Yu

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...