I'm trying to apply the week over week design template from http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/
but my counts are being truncated for the last week. (truncated meaning 0 records found for an hour when there should be values).
This fails to find records from "last week"
host=a earliest=-7d@d latest=now
| eval marker="This week"
| append [ search host=a earliest=-14d@d latest=-7d@d
| eval marker="Last week"
| eval _time=_time+60*60*24*7]
| timechart span=1h count(_raw) by marker
Why?
Splunk Version =6.2.0 Splunk Build =237341
↧