Dashboards & Visualizations

Timechart future dates

_Mauro_Costa_
Explorer

Good afternoon
I have a dashboard with multiple timechart where I am using a time picker -7 days and +7 days.
The problem is that not all timechart end on the same day because there are no events for future days.
Is it possible that the timechar always represents future days, even when there are no events for those days?
Image as an example:

Labels (1)
0 Karma

_Mauro_Costa_
Explorer

if i use earliest and latest in the search, no results are shown, image attached.
@inventsekar you're right, the logic of latest doesn't make sense but it doesn't influence the results.
how search for earliest and latest using an inputlookup?

0 Karma

_Mauro_Costa_
Explorer

@inventsekar  Thanks for the answer
I'm not using the default _time but another date field that I converted to epoch
is the problem related to this?
my query is:
| inputlookup dashboard_latest_v1
| eval _time=time
| eval earliest = 1625698800
| eval latest = if(1626908400 < 0, now(), 1626908400)
| where _time >= earliest AND _time <= latest
| lookup zonef zf_id AS zonef_id OUTPUT cco_description
| lookup client c_id AS cliente_id OUTPUT c_name
| lookup project p_id AS project_id OUTPUT p_name
| lookup contexto ci_id AS contexto_id OUTPUT ci_description
| lookup partner par_id AS parceiro_id OUTPUT par_description
| fillnull value=Others par_description
| search segment = "internal" AND cco_description="*" AND c_name IN ("*") AND p_name IN ("*") AND ci_description IN ("*") AND par_description IN ("*")
| timechart span=1d count BY segment

0 Karma

inventsekar
SplunkTrust
SplunkTrust

| eval latest = if(1626908400 < 0, now(), 1626908400)
<some logic is wrong in calculating the latest.. "1626908400 < 0" will always fail and it latest will always be assigned "1626908400" >

 

the earliest and latest are not added to the search command.. once you add that, the timechart will work fine i think. please check the latest calculation and update us back, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @_Mauro_Costa_ .. timechart will work fine for future dates, though empty of logs:

index="test_index" earliest=-2h@h latest=+d@d  |timechart span=30m count by host

timechart.jpg

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...