Hi, I am using Hunk 6.2.
when I am selecting a date time range from picker and executing query, it is working fine and showing results.
but when I save it as a dashboard and trying to run same query from saved dashboard, it is saying "No Result Found".
Browser's url showing <URL>/dashboard1__monthly?earliest=1404158400&latest=1406836800"
please help me how I can generate the results using time range picker in dashboard.
When opening the dashboard search in the "search view" (by clicking the search "magnifying glass" at the bottom left of the panel) - is the time range correct? Does the search return the correct results then?
Issue = Time range picker preview doesn't work on Hunk
0 = Setup Demo Hunk workload as per: http://docs.splunk.com/Documentation/Hunk/6.4.3/Hunktutorial/Tutorialoverview
1 = Run a search (e.g. index=hunkexample)
2 = Select a timeslice from the timeline.
3 = Observe that no events are returned (bottom right panel is blank).
Answer = The time range preview picker is not expected to work on Hunk.
Cause = This is because Hunk/Hadoop cannot guarantee time ordered results (because of the way hadoop returns it's results).
Related Bugs to this:
ERP-1938 = Clarify Behaviour.
ERP-1972 = Document behaviour.
When you are working with Hadoop using Hunk or when you are working with Splunk and the time field you want to work with is not _time, you may want to use the time picker in a dashboard with the correct time field. Or you may want to use some timeseries or any other time based Splunk command on that specific time field.
Here is a solution you might use to make time selections work on every case including in panels.
| inputlookup SampleData.csv
| eval time=strptime(claimfiling_date,"%Y-%m-%d")
| sort _time
Lets Break this down into it’s parts.
| inputlookup 837SampleData
This is a way to pull in data directly from a csv file so that it behaves just like it would from one of your searches against a Hadoop file that has no _time value.
In your search, you would supply something like [ index=SampleData state=”FL” ]
Please remember to add enough filters to the search so that you aren’t working with the entire data set. In Hadoop this could be a serious situation leading to copying literally all of your data to a sort. Remember filter first munge later.
| eval time=strptime(claimfilingdate,"%Y-%m-%d")
This converts the date in “claimfilingdate” into epoc time and stores it in “time”.
| sort _time
This sorts all of the records by time since they weren’t in that order before.
This adds infomintime and infomaxtime fields which are the min and max of the new values for _time that you have. This is needed for the time control in reports and panels to make it work properly. This is not needed to execute splunk command that are time oriented but it is the magic that will make this work properly in the time drop down in your panels.
Also, these statements could be added to a macro which you would call like this in your search.
To do this, you define the macro like this
macros.conf [setsorttime] args = sortdatetime, datetimeformat definition = eval _time=strptime($sortdatetime$,"$datetimeformat$") | sort _time | addinfo