Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Hidden Search only showing one hours data

MickSheppard
Path Finder
‎12-02-2011 05:05 AM

I have a dashboard with a hidden search defined the results from which are used to drive a number of charts. I have the earliest time set to -6h to give a reasonable view on the data I have summarised at 5 minute intervals.

When I look at the dashboard only the data from the last hour is shown in the charts on the dashboard. If I take the same search and run it manually I get results from all of the 6 hour period and replicating the charting from that manual search gives me the charts I expect.

The hidden search is defined as follows:


index=summary report="gad_dashboard_report" | bin _time span=5min
-6h

This is then used in various PostProcby various HiddenPostProcess modules in my dashboard. Can anyone explain how to get the whole 6 hour period rather than only the last hour?

The charts have a six hour period on them, just no data. The 6 hour search returns around 1000 matching events. Changing the earliest time value to 3 hours adjusts the size of the charts, the timeline is reduced from 6 hours to 3, but doesn't result in any more data being seen.

Reply
1 Solution
Solved! Jump to solution
Solution

MickSheppard
Path Finder
‎01-31-2012 07:46 AM

This turned out to be an event limit in the hidden search. If I changed the searches to not be hidden ones then I got the full set of results for the graphs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MickSheppard
Path Finder
‎01-31-2012 07:46 AM

This turned out to be an event limit in the hidden search. If I changed the searches to not be hidden ones then I got the full set of results for the graphs.

0 Karma
Reply
Solved! Jump to solution

dvb
Path Finder
‎12-22-2011 02:35 AM

Try with another span: Probably splunk cannot show more than 1 hour with a 5 minute span.

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎12-04-2011 03:50 PM

what happens if you delete the earliest param and put the earliest command into the search, e.g;

<module name="HiddenSearch" layoutpanel="panel_row2_col1" autorun="True">
    <param name="search">index=summary report="gad_dashboard_report" earliest=-6h | bin _time span=5min</param>
0 Karma
Reply
Solved! Jump to solution

MickSheppard
Path Finder
‎12-07-2011 06:25 AM

Sadly it makes no difference at all. I still only see the last hour worth of results in the graphs.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...