topic Re: Odd occurence with snapping time in Dashboards & Visualizations

Odd occurence with snapping time

richkappler — Mon, 19 Feb 2018 16:01:48 GMT

I have a search I'm turning into a panel for a pre-existing dashboard. On that dash I have used snap time successfullynumerous times:

<earliest>-6mon@mon</earliest>
<latest>@mon</latest>

which obviously just gives me the previous 6 calendar months. In this new panel I'm adding, I want the previous 3 calendar months, so I'm using:

<earliest>-3mon@mon</earliest>
<latest>@mon</latest>

No brainer. But it's giving me Nov, Dec, Jan, and Feb 1. wtf??? Any ideas what might be going on here?

Re: Odd occurence with snapping time

niketn — Mon, 19 Feb 2018 16:13:50 GMT

@richkappler, are you looking for the following:

<earliest>-6mon@mon</earliest> i.e. 8/1/17 12:00:00.000 AM
<latest>@mon-1d</latest> i.e. 1/31/18 12:00:00.000 AM

<earliest>-3mon@mon</earliest> i.e. 11/1/17 12:00:00.000 AM
<latest>@mon-1d</latest> i.e. 1/31/18 12:00:00.000 AM

Re: Odd occurence with snapping time

richkappler — Mon, 19 Feb 2018 16:15:41 GMT

@mon-1d was the first thing I tried before rbinging the issue here. Made no difference.

Re: Odd occurence with snapping time

niketn — Mon, 19 Feb 2018 16:36:54 GMT

Could this be an issue with Timezone of ingested data and logged in user timezone is different? Can you add the query you are trying to run for above selected time?

Re: Odd occurence with snapping time

richkappler — Mon, 19 Feb 2018 17:05:30 GMT

All times of all events ingested are in UTC. I can't post the actual search due to corporate constraints, but for sake of argument, this should work:

<query>
    index=someIndex
    | eval several fields
    | timechart span=1mon sum(field_0) as first sum(field_1) as second
</query>
<earliest>-3mon@mon</earliest>
<latest>@mon</latest>

as Isaid earlier, I also tried @mon-1d and there was no change

Re: Odd occurence with snapping time

niketn — Tue, 29 Sep 2020 18:08:30 GMT

Can you try with the following and see if correct months are returned?

<YourBaseSearch>
| chart sum(field_0) as first sum(field_1) as second by date_month

PS: Ideally you should perform stats first and then use eval(if possible). In your case since field_0 and field_1 are going to be displayed after timechart command, eval on other fields are not required and for field_0 and field_1 can happen after the statistical aggregation of data.

Re: Odd occurence with snapping time

richkappler — Mon, 19 Feb 2018 17:28:53 GMT

no, now I get no results instead of too many:

"No results found."