https://community.splunk.com/t5/Dashboards-Visualizations/Hardcoded-Time-Bucketing/m-p/413479#M41046 <P>Hi guys, </P> <P>I was recently given a new data index that has hardcoded time stamps in the event rather than being based on _time. The events are also re-indexed every night rather than being ingested when the event occurred making this more complex. For example, an event that happened aug 14th will have a hardcoded epoch of aug 14th yet the splunk _time date is yesterday evening. Using this data, I have been able to create a time chart but I am having trouble with months with no events. The months that have no events are being skipped (see below picture) because there is no data for that particular month. How can you create buckets based on the hard coded dates or create something to fill these no existent months?<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5589i1EA2DE775E6A5F13/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 20 Aug 2018 18:29:24 GMT zgoda 2018-08-20T18:29:24Z https://community.splunk.com/t5/Dashboards-Visualizations/Hardcoded-Time-Bucketing/m-p/413479#M41046 <P>Hi guys, </P> <P>I was recently given a new data index that has hardcoded time stamps in the event rather than being based on _time. The events are also re-indexed every night rather than being ingested when the event occurred making this more complex. For example, an event that happened aug 14th will have a hardcoded epoch of aug 14th yet the splunk _time date is yesterday evening. Using this data, I have been able to create a time chart but I am having trouble with months with no events. The months that have no events are being skipped (see below picture) because there is no data for that particular month. How can you create buckets based on the hard coded dates or create something to fill these no existent months?<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5589i1EA2DE775E6A5F13/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 20 Aug 2018 18:29:24 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Hardcoded-Time-Bucketing/m-p/413479#M41046 zgoda 2018-08-20T18:29:24Z https://community.splunk.com/t5/Dashboards-Visualizations/Hardcoded-Time-Bucketing/m-p/413480#M41047 <P>1) in your search you can assign the hardcoded epoch time value to<CODE>_time</CODE> to put the event in the right place. </P> <P>2) use <CODE>continuous=t</CODE> on your timechart to set the time gaps at 0. </P> Tue, 21 Aug 2018 20:19:59 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Hardcoded-Time-Bucketing/m-p/413480#M41047 DalJeanis 2018-08-21T20:19:59Z