Dashboards & Visualizations

Timechart future dates

_Mauro_Costa_
Explorer

Good afternoon
I have a dashboard with multiple timechart where I am using a time picker -7 days and +7 days.
The problem is that not all timechart end on the same day because there are no events for future days.
Is it possible that the timechar always represents future days, even when there are no events for those days?
Image as an example:

Labels (1)
0 Karma

_Mauro_Costa_
Explorer

if i use earliest and latest in the search, no results are shown, image attached.
@inventsekar you're right, the logic of latest doesn't make sense but it doesn't influence the results.
how search for earliest and latest using an inputlookup?

0 Karma

_Mauro_Costa_
Explorer

@inventsekar  Thanks for the answer
I'm not using the default _time but another date field that I converted to epoch
is the problem related to this?
my query is:
| inputlookup dashboard_latest_v1
| eval _time=time
| eval earliest = 1625698800
| eval latest = if(1626908400 < 0, now(), 1626908400)
| where _time >= earliest AND _time <= latest
| lookup zonef zf_id AS zonef_id OUTPUT cco_description
| lookup client c_id AS cliente_id OUTPUT c_name
| lookup project p_id AS project_id OUTPUT p_name
| lookup contexto ci_id AS contexto_id OUTPUT ci_description
| lookup partner par_id AS parceiro_id OUTPUT par_description
| fillnull value=Others par_description
| search segment = "internal" AND cco_description="*" AND c_name IN ("*") AND p_name IN ("*") AND ci_description IN ("*") AND par_description IN ("*")
| timechart span=1d count BY segment

0 Karma

inventsekar
Ultra Champion

| eval latest = if(1626908400 < 0, now(), 1626908400)
<some logic is wrong in calculating the latest.. "1626908400 < 0" will always fail and it latest will always be assigned "1626908400" >

 

the earliest and latest are not added to the search command.. once you add that, the timechart will work fine i think. please check the latest calculation and update us back, thanks. 

0 Karma

inventsekar
Ultra Champion

Hi @_Mauro_Costa_ .. timechart will work fine for future dates, though empty of logs:

index="test_index" earliest=-2h@h latest=+d@d  |timechart span=30m count by host

timechart.jpg

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...