How to get previous date values in the dashboard t...

sekhar463 · ‎06-01-2023

i have data in the event with date field

and while saving the same search in the dashboard studio table its giving previous date values

not giving exact values as event data

index=test sourcetype="test Data*"
| sort -time
| dedup TABLE_NAME
| table TABLE_NAME MAX_POSITION_DATE MAX_DMA_RUN_DATETIME

TABLE_NAME MAX_POSITION_DATE MAX_DMA_RUN_DATETIME
5858585 L 2023-06-01 00:00:00.000 2023-06-01 06:48:12.225
46466464 2023-05-31 00:00:00.000 2023-06-01 03:02:58.000

ITWhisperer · ‎06-01-2023

Assuming your time field is a numeric timestamp, the sort will put the events in descending time order i.e. latest first. The dedup will keep the first event in the pipeline for each table name.

Without seeing the exact data you are dealing with, it is not possible to say whether the values you are showing are correct or not, but given the above assumptions, if you are not getting the data you are expecting, you should look closer at your actual data to determine where the discrepancy may have arisen from.

How to get previous date values in the dashboard table apart from event data?

data

sourcetype

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?