If I run "search latest=1/5/2011:0:0:0 | head limit=1" the results are returned immediately. But if I run "search earliest=1/5/2011:0:0:0 | reverse | head limit=1" or "search earliest=1/5/2011:0:0:0 | tail limit=1" or "search earliest=1/5/2011:0:0:0 | sort + _time | head limit=1" the results take forever because it is still executing the search by first looking at the new events first. Is there a way to instruct splunk to begin searching from a specific time forward instead of backwards from the current time?
There is not. It is probably worth filing an Enhancement Request with Splunk, as it's not the first time I'm sure. When you file, be sure to describe your use case.
There is not. It is probably worth filing an Enhancement Request with Splunk, as it's not the first time I'm sure. When you file, be sure to describe your use case.
