Solved: Re: If you create a timechart with a span, and the...

IRHM73 · ‎11-10-2015

Hi,

I wonder if someone could help me please with a search I have and I apologize in advance for the newbie question.

If you create a timechart with a span, and then you set a 'Earliest' and 'Latest' time period, does one overwrite the other?

Could someone perhaps explain the difference please.

Many thanks and kind regards

Chris

jeffland · ‎11-10-2015

These settings will not overwrite each other, they do different things.

When you set earliest and latest, this is a setting that applies to your entire search and determines from which period of time to fetch results. It's like giving someone the pages of a book in which to look for something, i.e.

Go through pages 12 to 25 and count how often you find the word 'hint'.

You may want to see these results in different forms, i.e. you might want to see the total of these occurences, or you might want to know how many there are per page, or in the first and last six pages of this "span". When you set a span, you tell the timechart command how to aggregate its results by defining the size of your (time) buckets. To continue with the above example, this would be like saying

Go through pages 12 to 25 and count how often you find the word 'hint', but show me how many of these occurences were on pages 12 to 18 and how many were on pages 19 to 25.

In these examples, the pages represent arbitrary time elements. I hope you get what I'm trying to show, feel free to come back with any questions!

View solution in original post

DMohn · ‎11-10-2015

No, these settings won't overwrite each other, since they are inteded to do different things.

yoursearch earliest=-12h latest=-6h | timechart count()

This example will show you all results in the timeframe from 12h ago until 6h ago

yoursearch earliest=-12h latest=-6h | timechart span=1h count()

will do the same, but organize your results in buckets, so you will have accumulated results per hour

IRHM73 · ‎11-10-2015

Hi @DMohn, thank you very much for taking the time to reply to my post and for the explanation.

Very helpful indeed!

Kind Regards

Chris

jeffland · ‎11-10-2015

These settings will not overwrite each other, they do different things.

When you set earliest and latest, this is a setting that applies to your entire search and determines from which period of time to fetch results. It's like giving someone the pages of a book in which to look for something, i.e.

Go through pages 12 to 25 and count how often you find the word 'hint'.

You may want to see these results in different forms, i.e. you might want to see the total of these occurences, or you might want to know how many there are per page, or in the first and last six pages of this "span". When you set a span, you tell the timechart command how to aggregate its results by defining the size of your (time) buckets. To continue with the above example, this would be like saying

Go through pages 12 to 25 and count how often you find the word 'hint', but show me how many of these occurences were on pages 12 to 18 and how many were on pages 19 to 25.

In these examples, the pages represent arbitrary time elements. I hope you get what I'm trying to show, feel free to come back with any questions!

IRHM73 · ‎11-10-2015

Hi @jeffland, thank you for taking the time to come back to me a very comprehensive and understandable reply.

Greatly appreciate!

Many thanks and kind regards

Chris

If you create a timechart with a span, and then set "earliest" and "latest" parameters, does one overwrite the other?

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team