Hi,
I wonder if someone could help me please with a search I have and I apologize in advance for the newbie question.
If you create a timechart with a span, and then you set a 'Earliest' and 'Latest' time period, does one overwrite the other?
Could someone perhaps explain the difference please.
Many thanks and kind regards
Chris
These settings will not overwrite each other, they do different things.
When you set earliest and latest, this is a setting that applies to your entire search and determines from which period of time to fetch results. It's like giving someone the pages of a book in which to look for something, i.e.
Go through pages 12 to 25 and count how often you find the word 'hint'.
You may want to see these results in different forms, i.e. you might want to see the total of these occurences, or you might want to know how many there are per page, or in the first and last six pages of this "span". When you set a span, you tell the timechart
command how to aggregate its results by defining the size of your (time) buckets. To continue with the above example, this would be like saying
Go through pages 12 to 25 and count how often you find the word 'hint', but show me how many of these occurences were on pages 12 to 18 and how many were on pages 19 to 25.
In these examples, the pages represent arbitrary time elements. I hope you get what I'm trying to show, feel free to come back with any questions!
No, these settings won't overwrite each other, since they are inteded to do different things.
yoursearch earliest=-12h latest=-6h | timechart count()
This example will show you all results in the timeframe from 12h ago until 6h ago
yoursearch earliest=-12h latest=-6h | timechart span=1h count()
will do the same, but organize your results in buckets, so you will have accumulated results per hour
Hi @DMohn, thank you very much for taking the time to reply to my post and for the explanation.
Very helpful indeed!
Kind Regards
Chris
These settings will not overwrite each other, they do different things.
When you set earliest and latest, this is a setting that applies to your entire search and determines from which period of time to fetch results. It's like giving someone the pages of a book in which to look for something, i.e.
Go through pages 12 to 25 and count how often you find the word 'hint'.
You may want to see these results in different forms, i.e. you might want to see the total of these occurences, or you might want to know how many there are per page, or in the first and last six pages of this "span". When you set a span, you tell the timechart
command how to aggregate its results by defining the size of your (time) buckets. To continue with the above example, this would be like saying
Go through pages 12 to 25 and count how often you find the word 'hint', but show me how many of these occurences were on pages 12 to 18 and how many were on pages 19 to 25.
In these examples, the pages represent arbitrary time elements. I hope you get what I'm trying to show, feel free to come back with any questions!
Hi @jeffland, thank you for taking the time to come back to me a very comprehensive and understandable reply.
Greatly appreciate!
Many thanks and kind regards
Chris