Solved: How to restrict timerange in tstats search within ...

DEAD_BEEF · ‎07-19-2018

I have a tstats search panel on a dashboard and I'm trying to limit the timeframe for this particular search (separate from the shared time token). I tried using various commands but just can't seem to get the syntax right. What is the correct syntax to specify time restrictions in a tstats search?

current search query is not limited to the 3 hours, it still runs to whatever the time picker selects.

| tstats hoursago=4 endhoursago=1 count where index=web by _time sourcetype span=15m prestats=t
| timechart span=15m count by sourcetype

renjith_nair · ‎07-19-2018

@DEAD_BEEF,

Try this

| tstats count where (index=_internal earliest=-4h  latest=-1h)  by _time sourcetype span=15m prestats=t
| timechart span=15m count by sourcetype

Happy Splunking!

View solution in original post

renjith_nair · ‎07-19-2018

@DEAD_BEEF,

Try this

| tstats count where (index=_internal earliest=-4h  latest=-1h)  by _time sourcetype span=15m prestats=t
| timechart span=15m count by sourcetype

Happy Splunking!

DEAD_BEEF · ‎07-19-2018

works perfectly! I was so close, I tried earliest/latest in the timechart command, thank you!

How to restrict timerange in tstats search within query?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor