Dashboards & Visualizations

Timechart future dates

_Mauro_Costa_
Explorer

Good afternoon
I have a dashboard with multiple timechart where I am using a time picker -7 days and +7 days.
The problem is that not all timechart end on the same day because there are no events for future days.
Is it possible that the timechar always represents future days, even when there are no events for those days?
Image as an example:

Labels (1)
0 Karma

_Mauro_Costa_
Explorer

if i use earliest and latest in the search, no results are shown, image attached.
@inventsekar you're right, the logic of latest doesn't make sense but it doesn't influence the results.
how search for earliest and latest using an inputlookup?

0 Karma

_Mauro_Costa_
Explorer

@inventsekar  Thanks for the answer
I'm not using the default _time but another date field that I converted to epoch
is the problem related to this?
my query is:
| inputlookup dashboard_latest_v1
| eval _time=time
| eval earliest = 1625698800
| eval latest = if(1626908400 < 0, now(), 1626908400)
| where _time >= earliest AND _time <= latest
| lookup zonef zf_id AS zonef_id OUTPUT cco_description
| lookup client c_id AS cliente_id OUTPUT c_name
| lookup project p_id AS project_id OUTPUT p_name
| lookup contexto ci_id AS contexto_id OUTPUT ci_description
| lookup partner par_id AS parceiro_id OUTPUT par_description
| fillnull value=Others par_description
| search segment = "internal" AND cco_description="*" AND c_name IN ("*") AND p_name IN ("*") AND ci_description IN ("*") AND par_description IN ("*")
| timechart span=1d count BY segment

0 Karma

inventsekar
Super Champion

| eval latest = if(1626908400 < 0, now(), 1626908400)
<some logic is wrong in calculating the latest.. "1626908400 < 0" will always fail and it latest will always be assigned "1626908400" >

 

the earliest and latest are not added to the search command.. once you add that, the timechart will work fine i think. please check the latest calculation and update us back, thanks. 

0 Karma

inventsekar
Super Champion

Hi @_Mauro_Costa_ .. timechart will work fine for future dates, though empty of logs:

index="test_index" earliest=-2h@h latest=+d@d  |timechart span=30m count by host

timechart.jpg

0 Karma
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...