Time Range picker is not working in Hunk


Hi, I am using Hunk 6.2.
when I am selecting a date time range from picker and executing query, it is working fine and showing results.

but when I save it as a dashboard and trying to run same query from saved dashboard, it is saying "No Result Found".

Browser's url showing <URL>/dashboard1__monthly?earliest=1404158400&latest=1406836800"

please help me how I can generate the results using time range picker in dashboard.


Tags (3)

Splunk Employee
Splunk Employee

When you are working with Hadoop using Hunk or when you are working with Splunk and the time field you want to work with is not _time, you may want to use the time picker in a dashboard with the correct time field. Or you may want to use some timeseries or any other time based Splunk command on that specific time field.

Here is a solution you might use to make time selections work on every case including in panels.
| inputlookup SampleData.csv 
| eval _time=strptime(claim_filing_date,"%Y-%m-%d")
| sort _time
| addinfo

Lets Break this down into it’s parts.
| inputlookup 837SampleData
This is a way to pull in data directly from a csv file so that it behaves just like it would from one of your searches against a Hadoop file that has no _time value.
In your search, you would supply something like [ index=SampleData state=”FL” ]
Please remember to add enough filters to the search so that you aren’t working with the entire data set. In Hadoop this could be a serious situation leading to copying literally all of your data to a sort. Remember filter first munge later.

| eval _time=strptime(claim_filing_date,"%Y-%m-%d")
This converts the date in “claim_filing_date” into epoc time and stores it in “_time”.

| sort _time
This sorts all of the records by time since they weren’t in that order before.

| addinfo
This adds info_min_time and info_max_time fields which are the min and max of the new values for _time that you have. This is needed for the time control in reports and panels to make it work properly. This is not needed to execute splunk command that are time oriented but it is the magic that will make this work properly in the time drop down in your panels.

0 Karma

Splunk Employee
Splunk Employee

Also, these statements could be added to a macro which you would call like this in your search.

   `setsorttime(claim_filing_date, %Y-%m-%d)`

To do this, you define the macro like this


    args = sortdatetime, datetimeformat
    definition =  eval _time=strptime($sortdatetime$,"$datetimeformat$") | sort _time | addinfo
0 Karma

Splunk Employee
Splunk Employee

Possibly related post:

Issue = Time range picker preview doesn't work on Hunk

To reproduce:
0 = Setup Demo Hunk workload as per:
1 = Run a search (e.g. index=hunkexample)
2 = Select a timeslice from the timeline.
3 = Observe that no events are returned (bottom right panel is blank).

Answer = The time range preview picker is not expected to work on Hunk.
Cause = This is because Hunk/Hadoop cannot guarantee time ordered results (because of the way hadoop returns it's results).

Related Bugs to this:
ERP-1938 = Clarify Behaviour.
ERP-1972 = Document behaviour.

0 Karma

Splunk Employee
Splunk Employee

When opening the dashboard search in the "search view" (by clicking the search "magnifying glass" at the bottom left of the panel) - is the time range correct? Does the search return the correct results then?

0 Karma