Splunk Search

Discrepancy between Fundamentals PDF and Module 5 Video Regarding Timeline Search

superkara
Engager

The Splunk Fundamentals Part 1, Module 5 "Using Search" video says that both selecting and zooming into the timeline with the Zoom to Selection button reuses the same search results and does not redo the search. However, according to the Fundamentals PDF, page 67-68 it states that selecting a narrower time will not re-execute the search while zooming in with Zoom to Selection will re-execute the search. 

 

zoominvideos.PNG

 

zoominpdf.PNG

 

The Splunk documentation does not clarify.

"When you use the timeline to investigate events, you are not running a new search. You are filtering the existing search results."

"When you select a set of bars on the timeline and click Zoom to Selection, your search results are filtered to show only the selected time period. The timeline and events list update to show the results of your selection."

The documentation does not state that Zooming Out re-executes the search, but we know that is the case. It simply states that it chooses new times for the Time Range Picker. Can we assume that when new times are chosen for the Time Range Picker, a new search is executed for the new times? But if that is the case, then that means Zooming In or Zoom to Select will also re-execute the search.

When actually testing Splunk's timeline for Zooming Out and Zoom to Selection, I can see that all of the previous search results disappear, my page refreshes, and new results are displayed. Doesn't that mean the search has been re-executed? Whereas when I simply select a timeframe in the timeline (but do not press Zoom to Selection), the results change to show only the related events, but the page does not refresh.

Some official clarification or even perhaps an update of the Splunk training would be greatly appreciated.

Labels (1)
Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I suggest submitting feedback on the Splunk documentation page.  The Docs team is good about adding clarifications in response to user feedback.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...