I have a search to build audit data for system changes.
The systems in question have a commit/save type feature, and so the subsearch looks for commit statements in the last 15 minutes, using `earliest=-15m`. But the main search then looks for UI entries for the committing user for the last hour, on that device and session. So, the end result is a set of values(commands) that would have gone towards the configuration change.
This works fine and it's building a summary index, and moving along. But when I try to backfill the summary index using the `splunk cmd python fill_summary_index.py`, what happens is (I think) the subsearch doesn't pick up the backfill time range, and bases the subsearch on now, minus 15 minutes, while the main search then tries to correlate over a past chunk of time to session IDs for the last now-15m, and I get no results.
This isn't a major horrible disaster. I can live without backfilling the summary, but I'd like to be able to. So is there a way of specifically using the parent search's time range in a subsearch time range adjustment?
eg something like `earliest=parentlatest-15m` (which I know doesn't work)?
That would be awesome, but I can't find any reference to it. And I'm not sure it would ever be useful except for summary index backfilling with correlation type subsearches.
↧