Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use of autoregress and large time range, but limit results of final search to smaller time range

charlessplunk
New Member
‎08-26-2010 06:04 PM

I am trying to make a chart using autoregress with the previous 365 values/days... My time range needs to be at least 730 days to gather the proper data. This works fine, but I only want the chart display the most recent 365 days, not the entire 730 days (because the first 365 days were only needed to create the data for the autoregress).

Any advice is appreciated!

  • Charles
Tags (1)
0 Karma
Reply
2 Solutions
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-26-2010 06:42 PM

The simple version I think is to just add:

... | where _time >= relative_time(now(),"-365d@d")

to your search. You could also add:

... | addinfo 
    | where _time >= relative_time(info_max_time,"-365d@d") 
    | fields - info_min_time info_max_time info_search_id info_search_time

if you run the report from periods other than now.

View solution in original post

Reply
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎08-26-2010 07:01 PM

Assuming that you have a row for each day, you could also just hardcode getting the last 365 rows, i.e. ... | tail 365 | reverse

(you need the reverse because tail will be an implicit reverse, and I assume you want it back in ascending time order)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

steveyz
Splunk Employee
Splunk Employee
‎08-26-2010 07:01 PM

Assuming that you have a row for each day, you could also just hardcode getting the last 365 rows, i.e. ... | tail 365 | reverse

(you need the reverse because tail will be an implicit reverse, and I assume you want it back in ascending time order)

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-26-2010 06:42 PM

The simple version I think is to just add:

... | where _time >= relative_time(now(),"-365d@d")

to your search. You could also add:

... | addinfo 
    | where _time >= relative_time(info_max_time,"-365d@d") 
    | fields - info_min_time info_max_time info_search_id info_search_time

if you run the report from periods other than now.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...