Splunk Search

If you create a timechart with a span, and then set "earliest" and "latest" parameters, does one overwrite the other?

IRHM73
Motivator

Hi,

I wonder if someone could help me please with a search I have and I apologize in advance for the newbie question.

If you create a timechart with a span, and then you set a 'Earliest' and 'Latest' time period, does one overwrite the other?

Could someone perhaps explain the difference please.

Many thanks and kind regards

Chris

0 Karma
1 Solution

jeffland
SplunkTrust
SplunkTrust

These settings will not overwrite each other, they do different things.

When you set earliest and latest, this is a setting that applies to your entire search and determines from which period of time to fetch results. It's like giving someone the pages of a book in which to look for something, i.e.

Go through pages 12 to 25 and count how often you find the word 'hint'.

You may want to see these results in different forms, i.e. you might want to see the total of these occurences, or you might want to know how many there are per page, or in the first and last six pages of this "span". When you set a span, you tell the timechart command how to aggregate its results by defining the size of your (time) buckets. To continue with the above example, this would be like saying

Go through pages 12 to 25 and count how often you find the word 'hint', but show me how many of these occurences were on pages 12 to 18 and how many were on pages 19 to 25.

In these examples, the pages represent arbitrary time elements. I hope you get what I'm trying to show, feel free to come back with any questions!

View solution in original post

DMohn
Motivator

No, these settings won't overwrite each other, since they are inteded to do different things.

yoursearch earliest=-12h latest=-6h | timechart count()

This example will show you all results in the timeframe from 12h ago until 6h ago

yoursearch earliest=-12h latest=-6h | timechart span=1h count()

will do the same, but organize your results in buckets, so you will have accumulated results per hour

IRHM73
Motivator

Hi @DMohn, thank you very much for taking the time to reply to my post and for the explanation.

Very helpful indeed!

Kind Regards

Chris

jeffland
SplunkTrust
SplunkTrust

These settings will not overwrite each other, they do different things.

When you set earliest and latest, this is a setting that applies to your entire search and determines from which period of time to fetch results. It's like giving someone the pages of a book in which to look for something, i.e.

Go through pages 12 to 25 and count how often you find the word 'hint'.

You may want to see these results in different forms, i.e. you might want to see the total of these occurences, or you might want to know how many there are per page, or in the first and last six pages of this "span". When you set a span, you tell the timechart command how to aggregate its results by defining the size of your (time) buckets. To continue with the above example, this would be like saying

Go through pages 12 to 25 and count how often you find the word 'hint', but show me how many of these occurences were on pages 12 to 18 and how many were on pages 19 to 25.

In these examples, the pages represent arbitrary time elements. I hope you get what I'm trying to show, feel free to come back with any questions!

IRHM73
Motivator

Hi @jeffland, thank you for taking the time to come back to me a very comprehensive and understandable reply.

Greatly appreciate!

Many thanks and kind regards

Chris

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...