Timechart using Subsearch to set Span

moogmusic · ‎07-03-2020

I'm trying to use a Subsearch to set the span parameter in timechart - other posts have suggested something like this:

| timechart [ stats count | addinfo | eval timerange=1593817200-1593730800
| eval span=case(timerange<=3600,"1m",timerange<=14400,"15m",timerange<=86400,"30m",timerange<=2592000,"1d",timerange>2592000,"1mon")
| return span ] sum(raw_len_gb) as GB by index cont=f

When. I run the search, I get no events matching. However if I expand the search (Ctrl+E) then it resolves to the expected value and the expanded search runs no problem.

Any ideas? Thanks

to4kawa · ‎07-03-2020

index=_internal 
| timechart [|makeresults | eval query="span=10m"| return $query] count

That's interesting. I think it's better to send text.

moogmusic · ‎07-06-2020

Thanks for the suggestion but I'm not quite sure what you mean?

moogmusic · ‎07-06-2020

I tried what you suggest. and get the same result - the query matches no events but then if I expand it and run the expansion, it works fine.

to4kawa · ‎07-06-2020

I think your problem is macro settings, not your question.

Timechart using Subsearch to set Span

subsearch

timechart

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!