https://community.splunk.com/t5/Splunk-Search/timechart-span-1w-gives-different-results-compared-to-timechart/m-p/267686#M80520 <P>When you run the report using parameters</P> <PRE><CODE>... earliest=-1w@w latest=@w </CODE></PRE> <P>Splunk will snap precisely to the beginning and end of a calendar week (The start of Sunday through the end of Saturday night) and will show you the data from that entire (and precise) week. No more, no less. For my example I was running (not important what it was exactly), I get exactly 5089 events in that time span.</P> <P>When you search by leaving off the earliest and latest, but with an added timechart and span: </P> <PRE><CODE>... | timechart span=1w count </CODE></PRE> <P>Splunk will snap to whatever your time selector has as the start then splitt the time since then into 1 week periods. So, if I run my example on a Thursday over the "last 7 days" time frame with that <CODE>span=1w</CODE> timechart, I get TWO lines. The first output line spans the 7 days previous to the current day's start which is from 7 days ago through last night at midnight. The second line showing the data for today. Neither of these are 5089, both are less. If you click on an item in the _time column, it's little pop-up header will tell you the exact time frame it covers.</P> <P>Now, you can have both. If you set earliest in your base search, then set your timechart and snap, you can get matching numbers. In that case...</P> <PRE><CODE>... earliest=-1w@w latest=@w | timechart span=1w count </CODE></PRE> <P>Gives just the one week, a count of 5089.</P> <P>Likewise, </P> <PRE><CODE>... earliest=-1w@w | timechart span=1w count </CODE></PRE> <P>Would give two lines, the first output line being for essentially <CODE>-1w@w</CODE> to <CODE>@w</CODE> (which matches my original exactly - 5089 events) and a second line for this week so far.</P> <P>So, really your issue is probably just the interaction between those few places timeframes can be set and your snap to periods. Hopefully this is enough to get you started.</P> Fri, 05 Feb 2016 03:37:10 GMT Richfez 2016-02-05T03:37:10Z https://community.splunk.com/t5/Splunk-Search/timechart-span-1w-gives-different-results-compared-to-timechart/m-p/267684#M80518 <P>Hello I have a simple query where the first report is built using</P> <P>report 1:</P> <P>earliest=-1w@w1 latest=w1</P> <P>now on report 2</P> <P>I am just referencing this report 1 via: savedsearch and grabbing 4 weeks of data back and splitting it into 1 week chunks - now the issue is I am getting a mismatch in the total for the latest week:</P> <P>report 2:</P> <P>|savedsearch report 1<BR /> | timechart span=1w count</P> <P>In report 2 - I get a smaller set of numbers compared to report 1 for that same 1 week.</P> Thu, 04 Feb 2016 18:06:46 GMT https://community.splunk.com/t5/Splunk-Search/timechart-span-1w-gives-different-results-compared-to-timechart/m-p/267684#M80518 TCK101 2016-02-04T18:06:46Z https://community.splunk.com/t5/Splunk-Search/timechart-span-1w-gives-different-results-compared-to-timechart/m-p/267685#M80519 <P>Shouldn't the timerange for report1 be <CODE>earliest=-1w@w1 latest=@w1</CODE> ??</P> Thu, 04 Feb 2016 19:22:57 GMT https://community.splunk.com/t5/Splunk-Search/timechart-span-1w-gives-different-results-compared-to-timechart/m-p/267685#M80519 somesoni2 2016-02-04T19:22:57Z https://community.splunk.com/t5/Splunk-Search/timechart-span-1w-gives-different-results-compared-to-timechart/m-p/267686#M80520 <P>When you run the report using parameters</P> <PRE><CODE>... earliest=-1w@w latest=@w </CODE></PRE> <P>Splunk will snap precisely to the beginning and end of a calendar week (The start of Sunday through the end of Saturday night) and will show you the data from that entire (and precise) week. No more, no less. For my example I was running (not important what it was exactly), I get exactly 5089 events in that time span.</P> <P>When you search by leaving off the earliest and latest, but with an added timechart and span: </P> <PRE><CODE>... | timechart span=1w count </CODE></PRE> <P>Splunk will snap to whatever your time selector has as the start then splitt the time since then into 1 week periods. So, if I run my example on a Thursday over the "last 7 days" time frame with that <CODE>span=1w</CODE> timechart, I get TWO lines. The first output line spans the 7 days previous to the current day's start which is from 7 days ago through last night at midnight. The second line showing the data for today. Neither of these are 5089, both are less. If you click on an item in the _time column, it's little pop-up header will tell you the exact time frame it covers.</P> <P>Now, you can have both. If you set earliest in your base search, then set your timechart and snap, you can get matching numbers. In that case...</P> <PRE><CODE>... earliest=-1w@w latest=@w | timechart span=1w count </CODE></PRE> <P>Gives just the one week, a count of 5089.</P> <P>Likewise, </P> <PRE><CODE>... earliest=-1w@w | timechart span=1w count </CODE></PRE> <P>Would give two lines, the first output line being for essentially <CODE>-1w@w</CODE> to <CODE>@w</CODE> (which matches my original exactly - 5089 events) and a second line for this week so far.</P> <P>So, really your issue is probably just the interaction between those few places timeframes can be set and your snap to periods. Hopefully this is enough to get you started.</P> Fri, 05 Feb 2016 03:37:10 GMT https://community.splunk.com/t5/Splunk-Search/timechart-span-1w-gives-different-results-compared-to-timechart/m-p/267686#M80520 Richfez 2016-02-05T03:37:10Z