Hi,
I have a search macro. It is used to display charts.
......| timechart partial=false span=$span$ limit=0 usenull=f useother=f per_second(StatusCodeCount) as "Error/Sec" by rate
When i click on view results i get two columns in tabular format. _time and rate. This is fine.
But, when i try to get the results from same search using REST API, i get additional columns _span and _spandays. I searched for these fields in internet, i did not get much info.
Could you please help me understand why additional columns are shown.
Thanks
Strive
Try to remove them with :
<mysearch> | fields -_span -_spandays
Same search behaves different in two interfaces. I would like to know why additional fields are present when search is executed through one interface and not in another.
Moreover i did not find any splunk documentation related to _span and _spandays in internet.
Am i missing something here or is it a bug in splunk?
are you getting the result set same as the GUI