Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Hidden Search only showing one hours data

MickSheppard
Path Finder
‎12-02-2011 05:05 AM

I have a dashboard with a hidden search defined the results from which are used to drive a number of charts. I have the earliest time set to -6h to give a reasonable view on the data I have summarised at 5 minute intervals.

When I look at the dashboard only the data from the last hour is shown in the charts on the dashboard. If I take the same search and run it manually I get results from all of the 6 hour period and replicating the charting from that manual search gives me the charts I expect.

The hidden search is defined as follows:


index=summary report="gad_dashboard_report" | bin _time span=5min
-6h

This is then used in various PostProcby various HiddenPostProcess modules in my dashboard. Can anyone explain how to get the whole 6 hour period rather than only the last hour?

The charts have a six hour period on them, just no data. The 6 hour search returns around 1000 matching events. Changing the earliest time value to 3 hours adjusts the size of the charts, the timeline is reduced from 6 hours to 3, but doesn't result in any more data being seen.

Reply
1 Solution
Solved! Jump to solution
Solution

MickSheppard
Path Finder
‎01-31-2012 07:46 AM

This turned out to be an event limit in the hidden search. If I changed the searches to not be hidden ones then I got the full set of results for the graphs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MickSheppard
Path Finder
‎01-31-2012 07:46 AM

This turned out to be an event limit in the hidden search. If I changed the searches to not be hidden ones then I got the full set of results for the graphs.

0 Karma
Reply
Solved! Jump to solution

dvb
Path Finder
‎12-22-2011 02:35 AM

Try with another span: Probably splunk cannot show more than 1 hour with a 5 minute span.

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎12-04-2011 03:50 PM

what happens if you delete the earliest param and put the earliest command into the search, e.g;

<module name="HiddenSearch" layoutpanel="panel_row2_col1" autorun="True">
    <param name="search">index=summary report="gad_dashboard_report" earliest=-6h | bin _time span=5min</param>
0 Karma
Reply
Solved! Jump to solution

MickSheppard
Path Finder
‎12-07-2011 06:25 AM

Sadly it makes no difference at all. I still only see the last hour worth of results in the graphs.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...