Hello,
I did a chart where compare two timeranges. This is my search:
source="tcp:5543" Service_Type="*" earliest=-0d@d latest=now | multikv | eval ReportKey="today" | append [search source="tcp:5543" Service_Type="*" earliest=-1d@d latest=-0d@d| multikv | eval ReportKey="yesterday" | eval _time=_time+86400] | timechart span=5m count(Service_Type) as "Number of Services" by ReportKey
But I have the following messages when I launched it :
[subsearch]: Your timerange was substituted based on your search string
Your timerange was substituted based on your search string
But I don't understand where is the problem.
Thx by advance.
Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.
I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.
... | timechart count span=1h | timewrap d
That's it!
Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way.
I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods.
... | timechart count span=1h | timewrap d
That's it!
Hi LauraBre
usually this is only a information that the time range was set to the time range of your search and not what was chosen with the time picker besides the search box. I was not 100% sure, but I think you can suppress this kind of message somehow.....
yes, you can suppress it, just follow the instruction from here
hope this helps
cheers,
MuS
Thx very much, I look for this and I post my answer if I choose it.