Splunk Search

Why earliest and latest do not work in my search?

kmattern
Builder

Why doesn't this work? If I run the search without earliest and latest and use the time picker instead, I get results. I'm working with the SDK, so a timepicker is not available. I give the user date range selections, such as shown here. The parameters properly pass but I can't get any results. I am using the same search in an Advanced XML dashboard with a time picker and it works perfectly. What am I missing?

[|inputlookup Master.csv | where cab!="NULL" AND subbranch="Act" | fields username ]
| search index="WMICustom" sourcetype="WMICustom" earliest=-30d latest=+6h Message="*\\ABCD\\*"
| lookup Master.csv username output cab | where cab!="NULL" 
| stats sum(filesize) as ABCD by cab 
| eval ABCD=floor(ABCD/1024/1024) 
| appendcols [search index="WMICustom" sourcetype="WMICustom"  earliest=-30d  latest=+6h Message="*\\DEFG\\*"
| lookup Master.csv username output cab | where cab!="NULL" 
| stats sum(filesize) as DEFG by cab 
| eval DEFG=floor(DEFG/1024/1024)]
| appendcols [search index="WMICustom" sourcetype="WMICustom"  earliest=-30d  latest=+6h Message="*\\HIJK\\*"
| lookup Master.csv username output cab | where cab!="NULL" 
| stats sum(filesize) as HIJK by cab 
| eval HIJK=floor(HIJK/1024/1024)]
| appendcols [ search index="WMICustom" sourcetype="WMICustom"  earliest=-30d  latest=+6h Message="*\\LMNO\\*"
| lookup Master.csv username output cab | where cab!="NULL" 
| stats sum(filesize) as LMNO by cab 
| eval LMNO=floor(LMNO/1024/1024)]
| appendcols [search index="WMICustom" sourcetype="WMICustom"  earliest=-30d  latest=+6h Message="*\\STUV\\*"
| lookup Master.csv username output cab | where cab!="NULL" 
| stats sum(filesize) as STUV by cab 
| eval STUV=floor(STUV/1024/1024) ]
| stats first(STUV) as STUV, first(DEFG) as DEFG, first(HIJK) as HIJK, first(LMNO) as LMNO, first(ABCD) as ABCD by cab 
| fillnull value="0" STUV, DEFG, HIJK, LMNO, ABCD 
| rename ABCD to ABCD-A(E), cab as CAB 
| table CAB, STUV, DEFG, HIJK, LMNO, ABCD 
| sort CAB 
| addtotals fieldname="Total (MB)" 
| addcoltotals

Ayn
Legend

earliest and latest only work when you use them in the base search - that is, the implicit search command that runs first of all as the first command in the search pipeline.

Your search currently has a base search consisting ONLY of what the subsearch returns. You should rewrite the search so that instead of

[|inputlookup Master.csv | where cab!="NULL" AND subbranch="Act" | fields username ] | search index="WMICustom" sourcetype="WMICustom" earliest=-30d latest=+6h Message="*\\ABCD\\*"

you do

[|inputlookup Master.csv | where cab!="NULL" AND subbranch="Act" | fields username ] index="WMICustom" sourcetype="WMICustom" earliest=-30d latest=+6h Message="*\\ABCD\\*"

and your earliest/latest parameters will work.

ppablo
Retired

Glad you solved the issue with your search @kmattern 🙂 Don't forget to accept @Ayn's answer to mark this post as solved by clicking on the big check mark to the left of their response. This will help folks with similar questions find the solution too. And you both get karma points 😛 Thanks!

Patrick

kmattern
Builder

Duh. I should have known that. Thanks, sometimes you just look at it too long and don't see the obvious.

0 Karma

kmattern
Builder

I have a number of different cabs and not all of them use the same datatype in the Message field. I'm sorry that I have to obfuscate this so much but it is DoD related and I can't give out the real values in the search. We are talking about Combat Air Brigades in the Active Army. That's about all that I can say.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Shouldn't the first search be applied to all the searches/subsearches in order to filter for correct accounts/username?

[|inputlookup Master.csv | where cab!="NULL" AND subbranch="Act" | fields username ]

0 Karma

kmattern
Builder

Yes, I need only a subset of all the different kinds of accounts in my master list. Out of maybe 500 entries I only need about 40.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Any specific reason for first Inputlookup command?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...