I can't find the correct syntax to search the last 15 days of logs, relative to the latest entry. My current search is as follow:
source="test.log" CPU_Usage=* | timechart span=20m max(CPU_Usage)
If I change the time range to "latest 15 days", it's relative to NOW, not the latest event.
Please check out this answer for a starting point:
http://answers.splunk.com/answers/10157/custom-time-range-based-on-most-recent-event-time.html
I don't know if this the best way to do it, but it is one way.
source="test.log" CPU_Usage=*
| join [| metadata type=sources source="test.log"| stats max(lastTime) as latest]
| timechart span=20m max(CPU_Usage)
I get "No results found" when using these lines. Do I need to change anything? The query from Chanfoli returns several hundred results (as it should).
Please check out this answer for a starting point:
http://answers.splunk.com/answers/10157/custom-time-range-based-on-most-recent-event-time.html
That work with a few changes.
source="*test.log*" CPU_Usage=* [ search CPU_Usage=* | head 1 | eval earliest=relative_time(_time,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=20m max(CPU_Usage)