Re: Is there a visualization of the _time and aler...

danielbb · ‎03-12-2020

Is there a visualization of the _time and alerts issues, such as the one described at How to alert using _indextime for window instead of _time ?

I need to visually show it to the managers here.

woodcock · ‎03-21-2020

First, set your Timepicker on the Advanced tab and set Earliest to 0 and Latest to +Infinty (NOTE: DO NOT use All Time because in some versions of Splunk it uses now for Latest instead of +Infinity). Next use a search like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" _index_earliest=-6m@m _index_latest=-5m ...

richgalloway · ‎03-12-2020

What "time and alerts issues" are you talking about?
What difficulty are you having modifying the search in the cited answer to suit your needs?

---
If this reply helps you, Karma would be appreciated.

danielbb · ‎03-13-2020

The issue is described at the link - when to use _indextime in alerts in addition to _time. Is there a visualization that shows how they can be used in alerts?

niketn · ‎03-14-2020

@danielbb check out Timeline Custom Visualization

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Is there a visualization of the _time and alerts issues?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

Is there a visualization of the _time and alerts issues?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions