Dashboards & Visualizations

Timechart future dates

_Mauro_Costa_
Explorer

Good afternoon
I have a dashboard with multiple timechart where I am using a time picker -7 days and +7 days.
The problem is that not all timechart end on the same day because there are no events for future days.
Is it possible that the timechar always represents future days, even when there are no events for those days?
Image as an example:

Labels (1)
0 Karma

_Mauro_Costa_
Explorer

if i use earliest and latest in the search, no results are shown, image attached.
@inventsekar you're right, the logic of latest doesn't make sense but it doesn't influence the results.
how search for earliest and latest using an inputlookup?

0 Karma

_Mauro_Costa_
Explorer

@inventsekar  Thanks for the answer
I'm not using the default _time but another date field that I converted to epoch
is the problem related to this?
my query is:
| inputlookup dashboard_latest_v1
| eval _time=time
| eval earliest = 1625698800
| eval latest = if(1626908400 < 0, now(), 1626908400)
| where _time >= earliest AND _time <= latest
| lookup zonef zf_id AS zonef_id OUTPUT cco_description
| lookup client c_id AS cliente_id OUTPUT c_name
| lookup project p_id AS project_id OUTPUT p_name
| lookup contexto ci_id AS contexto_id OUTPUT ci_description
| lookup partner par_id AS parceiro_id OUTPUT par_description
| fillnull value=Others par_description
| search segment = "internal" AND cco_description="*" AND c_name IN ("*") AND p_name IN ("*") AND ci_description IN ("*") AND par_description IN ("*")
| timechart span=1d count BY segment

0 Karma

inventsekar
SplunkTrust
SplunkTrust

| eval latest = if(1626908400 < 0, now(), 1626908400)
<some logic is wrong in calculating the latest.. "1626908400 < 0" will always fail and it latest will always be assigned "1626908400" >

 

the earliest and latest are not added to the search command.. once you add that, the timechart will work fine i think. please check the latest calculation and update us back, thanks. 

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @_Mauro_Costa_ .. timechart will work fine for future dates, though empty of logs:

index="test_index" earliest=-2h@h latest=+d@d  |timechart span=30m count by host

timechart.jpg

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...