- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DEAD_BEEF
Builder
07-19-2018
07:52 AM
I have a tstats search panel on a dashboard and I'm trying to limit the timeframe for this particular search (separate from the shared time token). I tried using various commands but just can't seem to get the syntax right. What is the correct syntax to specify time restrictions in a tstats search?
current search query is not limited to the 3 hours, it still runs to whatever the time picker selects.
| tstats hoursago=4 endhoursago=1 count where index=web by _time sourcetype span=15m prestats=t
| timechart span=15m count by sourcetype
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-19-2018
08:11 AM
@DEAD_BEEF,
Try this
| tstats count where (index=_internal earliest=-4h latest=-1h) by _time sourcetype span=15m prestats=t
| timechart span=15m count by sourcetype
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-19-2018
08:11 AM
@DEAD_BEEF,
Try this
| tstats count where (index=_internal earliest=-4h latest=-1h) by _time sourcetype span=15m prestats=t
| timechart span=15m count by sourcetype
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DEAD_BEEF
Builder
07-19-2018
08:19 AM
works perfectly! I was so close, I tried earliest/latest in the timechart command, thank you!
