Splunk Search

Discrepancy between Fundamentals PDF and Module 5 Video Regarding Timeline Search

superkara
Engager

The Splunk Fundamentals Part 1, Module 5 "Using Search" video says that both selecting and zooming into the timeline with the Zoom to Selection button reuses the same search results and does not redo the search. However, according to the Fundamentals PDF, page 67-68 it states that selecting a narrower time will not re-execute the search while zooming in with Zoom to Selection will re-execute the search. 

 

zoominvideos.PNG

 

zoominpdf.PNG

 

The Splunk documentation does not clarify.

"When you use the timeline to investigate events, you are not running a new search. You are filtering the existing search results."

"When you select a set of bars on the timeline and click Zoom to Selection, your search results are filtered to show only the selected time period. The timeline and events list update to show the results of your selection."

The documentation does not state that Zooming Out re-executes the search, but we know that is the case. It simply states that it chooses new times for the Time Range Picker. Can we assume that when new times are chosen for the Time Range Picker, a new search is executed for the new times? But if that is the case, then that means Zooming In or Zoom to Select will also re-execute the search.

When actually testing Splunk's timeline for Zooming Out and Zoom to Selection, I can see that all of the previous search results disappear, my page refreshes, and new results are displayed. Doesn't that mean the search has been re-executed? Whereas when I simply select a timeframe in the timeline (but do not press Zoom to Selection), the results change to show only the related events, but the page does not refresh.

Some official clarification or even perhaps an update of the Splunk training would be greatly appreciated.

Labels (1)
Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I suggest submitting feedback on the Splunk documentation page.  The Docs team is good about adding clarifications in response to user feedback.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...