topic Re: How to display timechart for certain time period without being affected by earliest? in Splunk Search

How to display timechart for certain time period without being affected by earliest?

ojtoids — Thu, 14 Apr 2022 16:24:15 GMT

Im using a search query to search for data in "all time" but want to display timechart only for last 60 days. If i try to use "earliest=-2mon" it shows the timechart for 2 months but also loses the data past 60 days which projects wrong data in timechart.

Current query looks like this

index=data "search criteria" earliest=-2mon | | timechart usenull=f span=1w count by datapoints

Re: How to display timechart for certain time period without being affected by earliest?

tshah-splunk — Thu, 14 Apr 2022 16:38:36 GMT

Hey @ojtoids,

You can use the head command to display the top 8 results. However, it would not be much optimistic approach. Also, when you use earliest in the search query itself, it doesn't matter how much time you select in the time range picker. The query will run for the time defined using the earliest command only. So, if you want to search for data using All time and still display the timechart for the last 2 months only, I would suggest using the head command. Your query should look like below:

index=data "search criteria" earliest=-2mon | | timechart usenull=f span=1w count by datapoints | head 8 ```Top 8 results```

Re: How to display timechart for certain time period without being affected by earliest?

ojtoids — Thu, 14 Apr 2022 19:50:56 GMT

Hello @tshah-splunk

Thank you for providing the above. But its not working as its showing top results only for one trendline. I have eval with 5 conditions before the timechart and it displays results only for the first eval condition.

Re: How to display timechart for certain time period without being affected by earliest?

PickleRick — Fri, 15 Apr 2022 04:50:03 GMT

It's hard to help without more details to your search.

All I can say for now is that you're using timechart count so you're just aggregating your data points by counting regardless of their value so the actual evals probably don't matter much. But it's hard to say anything past that.

Re: How to display timechart for certain time period without being affected by earliest?

ITWhisperer — Fri, 15 Apr 2022 07:52:42 GMT

Try something like this

index=data "search criteria" | timechart usenull=f span=1w count by datapoints | where _time >= relative_time(now(),"-2mon")

Re: How to display timechart for certain time period without being affected by earliest?

PickleRick — Fri, 15 Apr 2022 19:49:30 GMT

OK, maybe I fail to see the point here but how is searching across all time and only at the end limiting by _time better than setting earliest? Unless of course there's something strange done with time in the middle, but I assume it isn't. The search in the form of search all time | transform | limit by _time would be hella ineffective since splunk would do a lot of unnecessary calculations which it will in the end drop.