I have a solution that uses api called macros that prefix the time frame to the search.
ie. earliest="03/14/2019:00:00:00" latest="03/14/2019:23:59:59" `my_report(sample)`
I need to modify this macro to search two different datasets for two different time spans (one summary, the other near realtime raw).
The idea being that I can stitch the summary and raw together to create an up to the minute report.
Contents of my_report macro
index=old_summary_data $token1$ OR (index=new_raw_data earliest=@d latest=now $sample$)
My expanded macro becomes this
earliest="03/14/2019:00:00:00" latest="03/14/2019:23:59:59" index=old_summary_data $token1$ OR (index=new_raw_data earliest=@d latest=now $sample$)
This will fail
*Error in 'litsearch' command: Unable to parse the search: Invalid time bounds in search: start=1568869200 > end=1568865600.*
This is due to not having a bracket preceeding the first "earliest" as per splunk docs :
(https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers)
example.(earliest="1/22/2018:17:00:00" latest="1/22/2018:18:00:00") OR (earliest="1/22/2018:19:00:00" latest="1/22/2018:20:00:00")
Is there any way I can make a non-bracketed time frame and query honor the
earliest="03/14/2019:00:00:00" latest="03/14/2019:23:59:59" index=old_summary_data $token1$ OR (index=new_raw_data earliest=@d latest=now $sample$)
↧