Hy all, here a well known question i a new context.
I am comparing Data over weeks, but it seems that im shifting in a little bit wrong bay old timerange to new range.
Querying over 14 Days shows me a complete, filled timeline with events. So far so good. After that i am splitting old and new week in the knows ways doing a double timeshift (for better formatted timelines - shift thisWeek into past - get past Week, shift all 1 week into future). The additional Table-Command gives me a well formatted table to see my shifts.
But NOW it happens: Im working on Data over 14 Days, timeline has events everywhere. Doing the timeshifts im loosing m event older than 10 days, so my Graph for LastWeek shows about the 10th day only zeros.
Wtf happens here ? Ill tryed to figure out my mistake by different timeranges, mins, hours, 1 + 2 Days work as intented, 4 Days shows the first Glitch, all larger searches loose additional Data.
Using this code:
search = index=sw-syslog sourcetype=syslog sysl_na_device="*" AND sysl_gen_warn="*" earliest=-6d@d latest=-0d@d
| eval ReportKey="thisWeek" | eval _time=_time-(60*60*24*7)
| append [search index=sw-syslog sourcetype=syslog sysl_na_device="*" earliest=-13d@d latest=-6d@d
| eval ReportKey="lastWeek" ]
| table _time sysl_na_device sysl_gen_warn ReportKey | eval _time=_time+(60*60*24*7)
| timechart span=12h count(sysl_gen_warn) AS KPI by ReportKey
Thanks for your time and advice ;)
Greets, Michael