Dashboards & Visualizations
Highlighted

How to see future date results in the dashboard

Explorer

I have hotel bookings created in March 2020 but check-in dates will be after March 2020. How to see future bookings (Check-in date) in splunk for each month from April-2020 until Dec-2021.

I have set the timestamp (input date function) based on Check-in date but could not see results.

0 Karma
Highlighted

Re: How to see future date results in the dashboard

SplunkTrust
SplunkTrust

Have you tried adding latest = +1y to your base query?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to see future date results in the dashboard

Explorer

I have tried with the selection of timestamp from Jan-2020 until Dec 2020 and Jan-2020 until Dec 2021 but it shows results until Feb-2020 only.
This is my query:
index="alldemo" sourcetype="AllDemoMICreated" BOOKINGSTATUS=CFD AND ((MARKET="") (CLIENTTOPNAME="") (CONTENTSOURCE="") () (CONFIRMEDBYUSER=""))

| eval monthnum=strftime(time,"%m") | eval Month=strftime(time,"%b %Y")
| stats count as [ search index="alldemo" sourcetype="AllDemoMI
Created" BOOKING_STATUS=CFD AND ((MARKET="
") (CLIENTTOPNAME="") (CONTENT_SOURCE="") () (CONFIRMEDBY_USER="")) | stats count as "Total Booking" ] by dateyear, monthnum, Month | sort dateyear,monthnum | fields - monthnum - dateyear

0 Karma
Highlighted

Re: How to see future date results in the dashboard

SplunkTrust
SplunkTrust

Let's back up a bit. When were the events created? Bookings for March 2021 made today will (should) have today's date in _time so that is the date you would use for earliest or latest. Then you can examine the check-in date to see if it's in the desired range.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Re: How to see future date results in the dashboard

Builder

_time is the timestamp of the event

So unless your sourcetype's events timestamp is in the future, this isn't going to work

What field in the event actually holds the check-in date?

I'd find it very surprising to find out that _time is really the check-in date, and not either when the reservation was made, or when the event goes into Splunk

0 Karma
Highlighted

Re: How to see future date results in the dashboard

Explorer

I have loaded the data with check-in date and splunk pick ups the time stamp same as check_in date.

View solution in original post

0 Karma
Highlighted

Re: How to see future date results in the dashboard

SplunkTrust
SplunkTrust

Does that mean your problem is resolved?

---
If this reply helps you, an upvote would be appreciated.
Highlighted

Re: How to see future date results in the dashboard

Explorer

No, correct timestamp data is not enough to see the details of future dates in the splunk.
We need to introduce the below configuration in the Props.conf in the path 'local' folder (Do not update in the default folder)
MAXDAYSHENCE = 730 (365 * 2, to read 2 years of data from the current date)
Restart the Splunk services and then load the data into Splunk to reflect the future dates in the reports.

Thanks for your hints to resolve this issue.

0 Karma