Splunk Enterprise

help on base search time modifier

jip31
Motivator

hi

 

as you can see I use a base search in order to dis play two single pnels, one on the last 24 h and one on the last 7 days

so for the second panel I need to put the time range on the last 7 days

I have done this but it doesn't works :

<earliest>-7d@d</earliest>
          <latest>now</latest>

 

  <row>
    <panel>
      <title>Incidents ouverts</title>
      <single>
        <title>Intervalle de remps : 24 dernières heures</title>
        <search id="countsite">
          <query>`index_mes` sourcetype=sig sig_app="$site$" 
| stats dc(sig_id)</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="height">200</option>
        <option name="rangeColors">["0x53a051","0xf8be34","0xf1813f","0xdc4e41"]</option>
        <option name="rangeValues">[0,5,10]</option>
        <option name="refresh.display">progressbar</option>
        <option name="useColors">1</option>
      </single>
    </panel>
    <panel>
      <title>Incidents ouverts</title>
      <single>
        <title>Intervalle de remps : 7 derniers jours</title>
        <search base="countsite">
          <query>
| stats dc(sig_id)</query>
      

what is the problem please?

 

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

The base search has to cover the widest time range

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
<query>`index_mes` sourcetype=sig sig_app="$site$" 
| where _time>=relative_time(now(),"-24h@h")
| stats dc(sig_id)</query>

You can't change the time period of the search - try filtering (assuming the base query still has the data you need)

0 Karma

jip31
Motivator

sorry but its not the aim of my question

I use a base search in order to avoid to reuse the code below in my second search

`index_mes` sourcetype=sig sig_app="$site$" 

But in this second search, the time range of the single panel has to be on the last 7 days instead on the last 24 h

But I dont how to specify it in the code....

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The base search has to cover the widest time range

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...