Re: Displaying results of same search over period ...

mo86 · ‎08-30-2018

I have the following search and am looking to display its results over the past 30 days. It currently shows the results but only the current day is accurate. Any advice would be much appreciated...

index=data NOT ID="" earliest=-30d@d latest=now|regex name!="[a-z]."|dedup id2|timechart span=1d count

richgalloway · ‎08-30-2018

You probably don't need dedup. Try this search:

index=data NOT ID="" earliest=-30d@d latest=now|regex name!="[a-z]."|timechart span=1d dc(id2) as count

---
If this reply helps you, Karma would be appreciated.

inventsekar · ‎08-30-2018

It currently shows the results but but only the current day is accurate///
more details required.. may we know how you say that only current day is accurate, the older day logs are loaded properly or any issues?!?!

mo86 · ‎08-30-2018

I believe there is something wrong with the dedup. Today shows the correct value and the day before shows a number, in this case 3. When I remove dedup all the results are off by 3.

mo86 · ‎08-30-2018

Is there any way I can break up the search to make it dedup by one day at a time not across the whole thing?

Displaying results of same search over period of time

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!