I have splunk indexed log for 6 months but I want to search log for 20 days only(from current date till 20 days ago) and draw a chart. What might be the possible search query??
Use the time picker in the search app. It gives you the ability to choose a time period to search.
Edit: to accomplish the same thing directly in the search string, there's lots of info on how to do this here: http://docs.splunk.com/Documentation/Splunk/4.2.2/User/ChangeTheTimeRangeOfYourSearch
Long story short, use earliest=-20d.
OK. It wasn't clear from the original question. I updated my answer with more info.
I want the query for time range on search. Using the picker just gives you output I can't see what query it used.
