Re: Trendline using a different time selection

scannon4 · ‎07-17-2018

Ok need help with a trend line. I have a search that shows just the previous quarter. I need the trend line in my single value chart to show values from a rolling 13 month period that we normally set with a time picker. The search uses earliest and latest in it to force results for quarter. The trend line has to have a different time period. Example search below. Thoughts?

index=foo sourcetype=footype source=foosource earliest=-2q@q latest=-1q@q
| eval indextime=_indextime
| dedup source _time sortby -indextime -_time
| stats sum("Regulatory Issue Med") AS med sum("Regulatory Issue High") AS high sum("Regulatory Issue Low") AS low by _time
| eval total=(low + med + high)
| bin _time span=1month
| stats sum(total) as Total by _time

scannon4 · ‎07-17-2018

I am thinking I need to take a different stance. If I change my search to default to the time picker (which defaults to the 13 month time frame mentioned), how can I make the timechart only show the last quarter?

CarsonZa · ‎07-17-2018

try using join

then forcing the time range just like you have done above in your sub search. Be aware of subsearch timeouts though, I believe default is 60 seconds.

scannon4 · ‎07-17-2018

If I do a join with same search, changing earliest=-13mon@mon latest=-1mon@mon, how would I use those results as the trendline? Is that even possible with the single value visualization?

Trendline using a different time selection

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life