taha13,

Can you make this work in an actual search? I think that's your first step.

Be sure to use the epoch versions of the dates/times, because that's what _time is. E.g. in all the above, do NOT use the "earliest_time" and so on, but instead use the "earliest_time_relative" and related fields for your comparisons.

Once you get it working in a search and returning only the days you want, I think it'll be pretty easy to make it work in your dashboard.

Or can you post the entire search? Maybe there's something going on there we aren't seeing?

it's work for the last week ut dont for the last month for exemple or for yesterday
Tis is what i have for yesterday on the search

 |eval date = strftime(_time,"%Y-%m-%d") 
  | eval earliest_time_relative=relative_time(now(),"-1d@d")
  | eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")
  | eval latest_time_relative=relative_time(now(),"true")
  | eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")
  | where (_time >= earliest_time_relative AND _time<=latest_time_relative) 

I think @cmerriman asked this too, but how could

| eval latest_time_relative=relative_time(now(),"true")

possibly work?

If you run the search and replace true with what you want the latest time to be, does that search run and give you the desired results?

It's doesnt work,this is my code

    |eval date_time = strftime(_time,"%Y-%m-%d") 
              | eval earliest_time_relative=relative_time(now(),"$earliest_token$")
                | eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")

                | eval earliest1_time_relative=relative_time(now(),"$earliest1_token$")
                | eval earliest1_time = strftime(earliest1_time_relative,"%Y-%m-%d")

                | eval latest_time_relative=relative_time(now(),"$latest_token$")
                | eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")

                | eval date = strftime(_time,"%Y-%m-%d")
                | where date == "$time_token$" OR (date_time >= earliest1_time AND latest_time >= date_time) OR date_time>= earliest_time

Then when i read the serch i have :

  |eval date = strftime(_time,"%Y-%m-%d") 
  | eval earliest_time_relative=relative_time(now(),"-1d@d")
  | eval earliest_time = strftime(earliest_time_relative,"%Y-%m-%d")

  | eval latest_time_relative=relative_time(now(),"true")
  | eval latest_time = strftime(latest_time_relative,"%Y-%m-%d")
  | where date == (_time >= earliest_time AND latest_time_relative >= _time) OR _time >= earliest_time_relative

what are you inputting for your latest_time that it is evaluating to true

can you post what your inputs look like? you have $time_token$, but i'm not sure how that's being created, so unless it's in the form of YYYY-MM-DD, that part of your where statement won't work. the date_time>=earliest_time won't work either, since that is a string and not epoch. maybe try |eval date_time = strptime(strftime(_time,"%Y-%m-%d") ,"%Y-%m-%d") or even |eval date_time=relative_time(_time,"@d") to snap _time to the beginning of the day, which is essentially what you're doing with strftime.

My input :

          <set token="earliest1_token">-1w@w1</set>
          <set token="earliest_token">-1w@w1</set>
          <set token="latest_token">@w6</set>
          <set token="time_token">true</set>
          <unset token="depends_token_1">true</unset>
          <unset token="depends_token_2">true</unset>
          <unset token="depends_token_3">true</unset>
          <unset token="depends_token_4">true</unset>
          <unset token="depends_token_5">true</unset>
          <unset token="depends_token_6">true</unset>
          <set token="depends_token_7">true</set>
          <unset token="depends_token_8">true</unset>
          <unset token="depends_token_9">true</unset>
          <set token="show_Data_Labels_token">all</set>
          <set token="token_span">$token_span7$</set>
          <!-- <set token="loadjob_token_job">job_mois_encours</set> -->
          <set token="loadjob_token_job">job_mois_encours_backup</set>
        </condition>