Splunk Search

timechart span 1w - gives different results compared to timechart span=1w count

New Member

Hello I have a simple query where the first report is built using

report 1:

earliest=-1w@w1 latest=w1

now on report 2

I am just referencing this report 1 via: savedsearch and grabbing 4 weeks of data back and splitting it into 1 week chunks - now the issue is I am getting a mismatch in the total for the latest week:

report 2:

|savedsearch report 1
| timechart span=1w count

In report 2 - I get a smaller set of numbers compared to report 1 for that same 1 week.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

When you run the report using parameters

... earliest=-1w@w latest=@w

Splunk will snap precisely to the beginning and end of a calendar week (The start of Sunday through the end of Saturday night) and will show you the data from that entire (and precise) week. No more, no less. For my example I was running (not important what it was exactly), I get exactly 5089 events in that time span.

When you search by leaving off the earliest and latest, but with an added timechart and span:

... | timechart span=1w count

Splunk will snap to whatever your time selector has as the start then splitt the time since then into 1 week periods. So, if I run my example on a Thursday over the "last 7 days" time frame with that span=1w timechart, I get TWO lines. The first output line spans the 7 days previous to the current day's start which is from 7 days ago through last night at midnight. The second line showing the data for today. Neither of these are 5089, both are less. If you click on an item in the _time column, it's little pop-up header will tell you the exact time frame it covers.

Now, you can have both. If you set earliest in your base search, then set your timechart and snap, you can get matching numbers. In that case...

... earliest=-1w@w latest=@w | timechart span=1w count

Gives just the one week, a count of 5089.

Likewise,

... earliest=-1w@w | timechart span=1w count

Would give two lines, the first output line being for essentially -1w@w to @w (which matches my original exactly - 5089 events) and a second line for this week so far.

So, really your issue is probably just the interaction between those few places timeframes can be set and your snap to periods. Hopefully this is enough to get you started.

View solution in original post

SplunkTrust
SplunkTrust

When you run the report using parameters

... earliest=-1w@w latest=@w

Splunk will snap precisely to the beginning and end of a calendar week (The start of Sunday through the end of Saturday night) and will show you the data from that entire (and precise) week. No more, no less. For my example I was running (not important what it was exactly), I get exactly 5089 events in that time span.

When you search by leaving off the earliest and latest, but with an added timechart and span:

... | timechart span=1w count

Splunk will snap to whatever your time selector has as the start then splitt the time since then into 1 week periods. So, if I run my example on a Thursday over the "last 7 days" time frame with that span=1w timechart, I get TWO lines. The first output line spans the 7 days previous to the current day's start which is from 7 days ago through last night at midnight. The second line showing the data for today. Neither of these are 5089, both are less. If you click on an item in the _time column, it's little pop-up header will tell you the exact time frame it covers.

Now, you can have both. If you set earliest in your base search, then set your timechart and snap, you can get matching numbers. In that case...

... earliest=-1w@w latest=@w | timechart span=1w count

Gives just the one week, a count of 5089.

Likewise,

... earliest=-1w@w | timechart span=1w count

Would give two lines, the first output line being for essentially -1w@w to @w (which matches my original exactly - 5089 events) and a second line for this week so far.

So, really your issue is probably just the interaction between those few places timeframes can be set and your snap to periods. Hopefully this is enough to get you started.

View solution in original post

Revered Legend

Shouldn't the timerange for report1 be earliest=-1w@w1 latest=@w1 ??

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!