Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Not receiving valid results bringing in future data dashboard earliest time

AdrianMa
Explorer
‎02-09-2022 06:06 AM

earliest invalid.PNG

I am trying to bring future data into a dashboard which include events from this week's Friday 17:00 UTC until next week same day same hour, but I don't get any valid results whatsoever, in 2 test cases:

I have declared 4 tokens:

<eval token="earliest_default">relative_time(now() , "+1w@w5+17h")</eval>
<eval token="latest_default">relative_time(now() , "+7d@d+17h")</eval>

<eval token="time_from">relative_time(now(),"+1w@w+17h")</eval>
<eval token="time_to">relative_time(now(),"+7d@d+17h")</eval>

And queried a search which evaluates the time for a week's span: (TEST1)

<search>
<query>index="xxx_index" | head 1
| eval thisFriday17 =if( strftime(now(),"%w")=="5",relative_time(now() , "+1w@w+17h"), relative_time(now() , "+7d@d+17h"))
| eval nextFriday17 = relative_time(thisFriday17 , "+7d@d+17h")
| eval filterFrom = case( "$xxx_presetTime$"=="This Friday 17:00 UTC - Next Week Friday 17:00 UTC", thisFriday17 , "$xxx_presetTime$"=="custom" , $time_from$ )
| eval filterTo = case( "$xxx_presetTime$"=="This Friday 17:00 UTC - Next Week Friday 17:00 UTC", nextFriday17, "$xxx_presetTime$"=="custom" , $time_to$ )
| eval filterFrom_label = strftime(filterFrom,"%d-%m-%Y- %H:%M:%S")
| eval filterTo_label = strftime(filterTo,"%d-%m-%Y- %H:%M:%S")
| table filterFrom , filterTo,filterFrom_label,filterTo_label</query>
<earliest></earliest>
<latest></latest>
<done>
<set token="from_drill">$result.filterFrom$</set>
<set token="to_drill">$result.filterTo$</set>
<set token="filterFrom_label">$result.filterFrom_label$</set>
<set token="filterTo_label">$result.filterTo_label$</set>
</done>
</search>

The main issue is that no data is displayed even if it should be. Changing the span ruins the results, meaning that Splunk brings data from the LAST Friday until THIS Friday, not from THIS Friday to the upcoming one or 2 weeks

Working in the Advanced Time Span filter and selecting the above throws "The earliest time is invalid"

TEST2

A working code I brought up is the following, but the results captured are from the LAST Friday until THIS Friday, not from THIS Friday to the upcoming 2 weeks. Reducing the time span from the below breaks the code. This broke me too.

| eval thisFriday17 =if( strftime(now(),"%w")=="5",relative_time(now() , "@w5+17h"), relative_time(now() , "+1w@w5+17h"))
| eval next2Friday17 =if( strftime(now(),"%w")=="5",relative_time(now() , "@w5+14d+17h"), relative_time(now() , "+1w@w5+14d+17h"))
| eval filterFrom = case( "$xxx_presetTime$"=="This Friday 17:00 UTC - Next 2 Weeks Friday 17:00 UTC", thisFriday17 , "$xxx_presetTime$"=="custom" , $time_from$ )
| eval filterTo = case( "$xxxx_presetTime$"=="This Friday 17:00 UTC - Next 2 Weeks Friday 17:00 UTC", next2Friday17, "$xxx_presetTime$"=="custom" , $time_to$ )
| eval filterFrom_label = strftime(filterFrom,"%d-%m-%Y- %H:%M:%S")
| eval filterTo_label = strftime(filterTo,"%d-%m-%Y- %H:%M:%S")
| table filterFrom , filterTo,filterFrom_label,filterTo_label

I must mention that the user is not able to change the Preset Time Span I am forcing:

<input type="dropdown" token="xxx_presetTime" searchWhenChanged="true">
<label>Preset Time Span</label>
<choice value="This Friday 17:00 UTC - Next Week Friday 17:00 UTC">This Friday 17:00 UTC - Next Week Friday 17:00 UTC</choice>

Hope I am being clear in exposing my issue. Thanks in advance for your help!

Labels (1)
Labels
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-09-2022 07:10 AM

Don't you have some stray spaces or some other characters from copy-pasting?

The "+1w@w5+17h" seems to work OK as a time specs.

That's one thing.

Other - are you sure that your data is properly indexed?

Did you check it?

| tstats count where index=<your index> earliest=now latest=+1y span=1d

 Usually when "the search does not return anything when it should" it's simply because the data is not there 😉

0 Karma
Reply

AdrianMa
Explorer
‎02-09-2022 10:39 AM

Hi @PickleRick ,

Checked for spaces but did not find one loose.

The data is properly indexed as I can find it via your query or using other searches.

Something is not adding up.

0 Karma
Reply

AdrianMa
Explorer
‎02-09-2022 06:59 AM

to mention I am working in a customized 7.3.6 app

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...