https://community.splunk.com/t5/Splunk-Search/Bucket-time-span-causing-incorrect-date-entries/m-p/146631#M40946 <P>I have the following query:</P> <PRE><CODE>some query... | bucket _time span=1d | eval date=strftime(_time, "%b %d, %Y") | chart avg(value) as Value over date </CODE></PRE> <P>Which is tethered to the following time span:</P> <PRE><CODE> &lt;earliest&gt;-$global_time$d@d&lt;/earliest&gt; &lt;latest&gt;-1@d&lt;/latest&gt; </CODE></PRE> <P>Where global_time can be any integer representing a number of days.</P> <P>The data that comes out is correct but the statistics (and therefor visualization) always show the first day of the current month as the first entry, if I search over let's say 40 days I get the following result:</P> <P>1st July ... 28th July, 24th June, 25th June, 26th June, 29th June... until 40 posts has been filled. What is wrong here???</P> <P>Weekends are not included as there is no output data for Value during those days. </P> Wed, 29 Jul 2015 09:38:35 GMT ohlafl 2015-07-29T09:38:35Z https://community.splunk.com/t5/Splunk-Search/Bucket-time-span-causing-incorrect-date-entries/m-p/146631#M40946 <P>I have the following query:</P> <PRE><CODE>some query... | bucket _time span=1d | eval date=strftime(_time, "%b %d, %Y") | chart avg(value) as Value over date </CODE></PRE> <P>Which is tethered to the following time span:</P> <PRE><CODE> &lt;earliest&gt;-$global_time$d@d&lt;/earliest&gt; &lt;latest&gt;-1@d&lt;/latest&gt; </CODE></PRE> <P>Where global_time can be any integer representing a number of days.</P> <P>The data that comes out is correct but the statistics (and therefor visualization) always show the first day of the current month as the first entry, if I search over let's say 40 days I get the following result:</P> <P>1st July ... 28th July, 24th June, 25th June, 26th June, 29th June... until 40 posts has been filled. What is wrong here???</P> <P>Weekends are not included as there is no output data for Value during those days. </P> Wed, 29 Jul 2015 09:38:35 GMT https://community.splunk.com/t5/Splunk-Search/Bucket-time-span-causing-incorrect-date-entries/m-p/146631#M40946 ohlafl 2015-07-29T09:38:35Z https://community.splunk.com/t5/Splunk-Search/Bucket-time-span-causing-incorrect-date-entries/m-p/146632#M40947 <P>It is because your <CODE>date</CODE> field is being sorted alphabetically and "1" always comes first. Try this:</P> <PRE><CODE>some query... | bucket _time span=1d | eval date=_time | fieldformat date=strftime(date, "%b %d, %Y") | chart avg(value) as Value over date </CODE></PRE> Wed, 29 Jul 2015 10:48:47 GMT https://community.splunk.com/t5/Splunk-Search/Bucket-time-span-causing-incorrect-date-entries/m-p/146632#M40947 woodcock 2015-07-29T10:48:47Z https://community.splunk.com/t5/Splunk-Search/Bucket-time-span-causing-incorrect-date-entries/m-p/146633#M40948 <P>Thank you.</P> Wed, 29 Jul 2015 13:29:35 GMT https://community.splunk.com/t5/Splunk-Search/Bucket-time-span-causing-incorrect-date-entries/m-p/146633#M40948 ohlafl 2015-07-29T13:29:35Z