Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to display timechart for certain time period without being affected by earliest?

ojtoids
Explorer
‎04-14-2022 08:37 AM

Im using a search query to search for data in "all time" but want to display timechart only for last 60 days. If i try to use "earliest=-2mon" it shows the timechart for 2 months but also loses the data past 60 days which projects wrong data in timechart.

 

Current query looks like this 

 

 

 

index=data "search criteria" earliest=-2mon | | timechart usenull=f span=1w count by datapoints

 

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-15-2022 12:52 AM

Try something like this

index=data "search criteria"
| timechart usenull=f span=1w count by datapoints
| where _time >= relative_time(now(),"-2mon")

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-15-2022 12:52 AM

Try something like this

index=data "search criteria"
| timechart usenull=f span=1w count by datapoints
| where _time >= relative_time(now(),"-2mon")
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-15-2022 12:49 PM

OK, maybe I fail to see the point here but how is searching across all time and only at the end limiting by _time better than setting earliest? Unless of course there's something strange done with time in the middle, but I assume it isn't. The search in the form of search all time | transform | limit by _time would be hella ineffective since splunk would do a lot of unnecessary calculations which it will in the end drop.

0 Karma
Reply
Solved! Jump to solution

tshah-splunk
Splunk Employee
Splunk Employee
‎04-14-2022 09:38 AM

Hey @ojtoids,

You can use the head command to display the top 8 results. However, it would not be much optimistic approach. Also, when you use earliest in the search query itself, it doesn't matter how much time you select in the time range picker. The query will run for the time defined using the earliest command only. So, if you want to search for data using All time and still display the timechart for the last 2 months only, I would suggest using the head command. Your query should look like below:

index=data "search criteria" earliest=-2mon | | timechart usenull=f span=1w count by datapoints
| head 8 ```Top 8 results```

 

---
If you find the answer helpful, an upvote/karma is appreciated
0 Karma
Reply
Solved! Jump to solution

ojtoids
Explorer
‎04-14-2022 12:50 PM

Hello @tshah-splunk 

Thank you for providing the above. But its not working as its showing top results only for one trendline. I have eval with 5 conditions before the timechart and it displays results only for the first eval condition. 

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-14-2022 09:50 PM

It's hard to help without more details to your search.

All I can say for now is that you're  using timechart count so you're just aggregating your data points by counting regardless of their value so the actual evals probably don't matter much. But it's hard to say anything past that.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...