- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Hidden Search only showing one hours data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a dashboard with a hidden search defined the results from which are used to drive a number of charts. I have the earliest time set to -6h to give a reasonable view on the data I have summarised at 5 minute intervals.
When I look at the dashboard only the data from the last hour is shown in the charts on the dashboard. If I take the same search and run it manually I get results from all of the 6 hour period and replicating the charting from that manual search gives me the charts I expect.
The hidden search is defined as follows:
This is then used in various PostProcby various HiddenPostProcess modules in my dashboard. Can anyone explain how to get the whole 6 hour period rather than only the last hour?
The charts have a six hour period on them, just no data. The 6 hour search returns around 1000 matching events. Changing the earliest time value to 3 hours adjusts the size of the charts, the timeline is reduced from 6 hours to 3, but doesn't result in any more data being seen.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This turned out to be an event limit in the hidden search. If I changed the searches to not be hidden ones then I got the full set of results for the graphs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This turned out to be an event limit in the hidden search. If I changed the searches to not be hidden ones then I got the full set of results for the graphs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with another span: Probably splunk cannot show more than 1 hour with a 5 minute span.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what happens if you delete the earliest param and put the earliest command into the search, e.g;
<module name="HiddenSearch" layoutpanel="panel_row2_col1" autorun="True">
<param name="search">index=summary report="gad_dashboard_report" earliest=-6h | bin _time span=5min</param>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sadly it makes no difference at all. I still only see the last hour worth of results in the graphs.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
