Hi,
i'm creating a dashboard with some general infos, showed as first dashboard to the user.
I have two distinct hiddensearch modules, both of them with this "search" param:
" | eventcount | stats sum(count) as count"
The second module has "earliest" param too, set to -w, to find just the events of the last week.
However, I retrieve always the same result for both research. I check the data, and I should have very different results.
thanks in advance for your answers!
edit: now I'm using this query:
search earliest=-w | stats count
there is a better (and more efficient) way to get the same result?
eventcount
does not work with earliest/latest. It's a metadata command, and does not look at the events themselves (so it cannot determine timestamps).
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eventcount
/k
eventcount
does not work with earliest/latest. It's a metadata command, and does not look at the events themselves (so it cannot determine timestamps).
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eventcount
/k
Thanks, I solved my issue using this query:
search earliest=-w | stats count
The eventcount command just returns the total amount of events in the index. The earliest parameter won't have an impact on this search.