Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timewrap to restrict fetch for defined period

vickyvishwa
Explorer
‎02-05-2019 01:36 AM

I have a search like below -

mysearch | timechart count span=1h | timewrap 1d

with time range picker for past 7 days. This search fetches all the records for past 7 days with records falling in same Timerange.
But I want to compare the current hour count with last week same day/hour count. And skip timewrap to fetch for remaining 6 days.
In the End of the search I can put a table and fetch only today and 6_days_before columns, but 6 days count fetching is taking lot of time. Rather if we can restrict to fetch only for Present Day and 6 days before, it will be faster.

Any suggestions ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DMohn
Motivator
‎02-05-2019 02:32 AM

Try the following:

 <your base search> earliest=-7d@d latest=-6d@d | append [search <your base search again> earliest=@d latest=now()] | timechart span=1h count | timewrap 1d

This should leave out all the non-desired days...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DMohn
Motivator
‎02-05-2019 02:32 AM

Try the following:

 <your base search> earliest=-7d@d latest=-6d@d | append [search <your base search again> earliest=@d latest=now()] | timechart span=1h count | timewrap 1d

This should leave out all the non-desired days...

0 Karma
Reply
Solved! Jump to solution

vickyvishwa
Explorer
‎02-05-2019 05:49 AM

Thank you. Will this have the restriction of SubSearch ? (50K)

0 Karma
Reply
Solved! Jump to solution

DMohn
Motivator
‎02-05-2019 07:16 AM

Yes it will by default, but you may use the command parameters maxout and maxtime for tuning the returned results of the subsearch.

0 Karma
Reply
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...