Hi,
I am using sub search in my dashboard. Sub search use time defiend in main search query, however I want to use different earliest time in sub search. The resason is mail search query is getting the data from longer time duration and In sub search I want to create a time chart with lesser duration.
Just wondering if any way to override the time in subsearch.
<search id="globalSearch">
<query>main search</query>
<earliest>0</earliest>
<latest>now</latest>
</search>
<search base="globalSearch">
<query>sub search</query>
<earliest>-4hrs</earliest>
<latest>now</latest>
</search>
Thanks
You can't use XML to define earliest/latest to use in a post-process search, but you could do this in the search string defined in the post-process search:
<post-process search string>
| eval post_earliest=relative_time(now(), "-4h")
| where _time>=post_earliest
Edited because the previous version was nonsense.
Thank you but that doen't work for me. I am creating the timechart in subsearch , and specifying earliest time in search query not considered in timechart. 😞
Oops, my previous search was garbage based on what you were looking for. Check out the edited version to see if it's better.
I already tried these scenario. the problem is that timechart use full time to display 4 hrs data.
I guess it can be solved only if we are able to define earliest time in xml.
I am looking for workaround for same problem defined in another post