Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display timechart for certain time period without being affected by earliest?

ojtoids
Explorer
‎04-14-2022 08:37 AM

Im using a search query to search for data in "all time" but want to display timechart only for last 60 days. If i try to use "earliest=-2mon" it shows the timechart for 2 months but also loses the data past 60 days which projects wrong data in timechart.

 

Current query looks like this 

 

 

 

index=data "search criteria" earliest=-2mon | | timechart usenull=f span=1w count by datapoints

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-15-2022 12:52 AM

Try something like this

index=data "search criteria"
| timechart usenull=f span=1w count by datapoints
| where _time >= relative_time(now(),"-2mon")

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-15-2022 12:52 AM

Try something like this

index=data "search criteria"
| timechart usenull=f span=1w count by datapoints
| where _time >= relative_time(now(),"-2mon")
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-15-2022 12:49 PM

OK, maybe I fail to see the point here but how is searching across all time and only at the end limiting by _time better than setting earliest? Unless of course there's something strange done with time in the middle, but I assume it isn't. The search in the form of search all time | transform | limit by _time would be hella ineffective since splunk would do a lot of unnecessary calculations which it will in the end drop.

0 Karma
Reply
Solved! Jump to solution

tshah-splunk
Splunk Employee
Splunk Employee
‎04-14-2022 09:38 AM

Hey @ojtoids,

You can use the head command to display the top 8 results. However, it would not be much optimistic approach. Also, when you use earliest in the search query itself, it doesn't matter how much time you select in the time range picker. The query will run for the time defined using the earliest command only. So, if you want to search for data using All time and still display the timechart for the last 2 months only, I would suggest using the head command. Your query should look like below:

index=data "search criteria" earliest=-2mon | | timechart usenull=f span=1w count by datapoints
| head 8 ```Top 8 results```

 

---
If you find the answer helpful, an upvote/karma is appreciated
0 Karma
Reply
Solved! Jump to solution

ojtoids
Explorer
‎04-14-2022 12:50 PM

Hello @tshah-splunk 

Thank you for providing the above. But its not working as its showing top results only for one trendline. I have eval with 5 conditions before the timechart and it displays results only for the first eval condition. 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-14-2022 09:50 PM

It's hard to help without more details to your search.

All I can say for now is that you're  using timechart count so you're just aggregating your data points by counting regardless of their value so the actual evals probably don't matter much. But it's hard to say anything past that.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
li.common.scroll-to.top