Search using multiple earliest latest

rdownie · ‎08-21-2013

Can someone tell me why this search returns data:

index=cnr-dhcp ( ( earliest="1377036255" latest="1377082255" leased_ip="10.149.16.13" )) | rex "Lease\sgranted|renewed\sto\sHost:\s'(?P.+)'\sCID:" | transaction lease keepevicted=true | table _time, lease

And this search which includes the above condition does not?

index=cnr-dhcp (( earliest="1377036806" latest="1377082806" leased_ip="172.31.56.158" ) OR ( earliest="1377036255" latest="1377082255" leased_ip="10.149.16.13" )) | rex "Lease\sgranted|renewed\sto\sHost:\s'(?P.+)'\sCID:" | transaction lease keepevicted=true | table _time, lease

Both sides of the OR should return data. Can you not "OR" earliest and latest?
Thanks,
-Bob

MuS · ‎08-29-2014

Hi rdownie,

now it looks like this is possible, at least in Splunk 6.1.2 it works. See this answer http://answers.splunk.com/answers/153336/using-earliest-twice-in-one-search

cheers, MuS

kristian_kolb · ‎08-21-2013

It seems not. Since the element of time is such a fundamental parameter in regards to how data is stored and retrieved (unlike fields inside an event, e.g. usernames or ip-addresses), this might very well be a restriction that cannot be overcome in the way you try to.

Effectively you want to perform two different searches, and I suggest that you try to structure you query as such. Something along the lines of;

index=cnr-dhcp earliest=X latest=Y leased_ip=a.b.c.d 
| append [search index=cnr-dhcp earliest=Z latest=Q leased_ip=e.f.g.h ]
| ...

Hope this helps,

K

Search using multiple earliest latest

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life