Dashboards & Visualizations

Timechart future dates

_Mauro_Costa_
Explorer

Good afternoon
I have a dashboard with multiple timechart where I am using a time picker -7 days and +7 days.
The problem is that not all timechart end on the same day because there are no events for future days.
Is it possible that the timechar always represents future days, even when there are no events for those days?
Image as an example:

Labels (1)
0 Karma

_Mauro_Costa_
Explorer

if i use earliest and latest in the search, no results are shown, image attached.
@inventsekar you're right, the logic of latest doesn't make sense but it doesn't influence the results.
how search for earliest and latest using an inputlookup?

0 Karma

_Mauro_Costa_
Explorer

@inventsekar  Thanks for the answer
I'm not using the default _time but another date field that I converted to epoch
is the problem related to this?
my query is:
| inputlookup dashboard_latest_v1
| eval _time=time
| eval earliest = 1625698800
| eval latest = if(1626908400 < 0, now(), 1626908400)
| where _time >= earliest AND _time <= latest
| lookup zonef zf_id AS zonef_id OUTPUT cco_description
| lookup client c_id AS cliente_id OUTPUT c_name
| lookup project p_id AS project_id OUTPUT p_name
| lookup contexto ci_id AS contexto_id OUTPUT ci_description
| lookup partner par_id AS parceiro_id OUTPUT par_description
| fillnull value=Others par_description
| search segment = "internal" AND cco_description="*" AND c_name IN ("*") AND p_name IN ("*") AND ci_description IN ("*") AND par_description IN ("*")
| timechart span=1d count BY segment

0 Karma

inventsekar
SplunkTrust
SplunkTrust

| eval latest = if(1626908400 < 0, now(), 1626908400)
<some logic is wrong in calculating the latest.. "1626908400 < 0" will always fail and it latest will always be assigned "1626908400" >

 

the earliest and latest are not added to the search command.. once you add that, the timechart will work fine i think. please check the latest calculation and update us back, thanks. 

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @_Mauro_Costa_ .. timechart will work fine for future dates, though empty of logs:

index="test_index" earliest=-2h@h latest=+d@d  |timechart span=30m count by host

timechart.jpg

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...