I am trying to bring future data into a dashboard which include events from this week's Friday 17:00 UTC until next week same day same hour, but I don't get any valid results whatsoever, in 2 test cases:
I have declared 4 tokens:
<eval token="earliest_default">relative_time(now() , "+1w@w5+17h")</eval>
<eval token="latest_default">relative_time(now() , "+7d@d+17h")</eval>
<eval token="time_from">relative_time(now(),"+1w@w+17h")</eval>
<eval token="time_to">relative_time(now(),"+7d@d+17h")</eval>
And queried a search which evaluates the time for a week's span: (TEST1)
<search>
<query>index="xxx_index" | head 1
| eval thisFriday17 =if( strftime(now(),"%w")=="5",relative_time(now() , "+1w@w+17h"), relative_time(now() , "+7d@d+17h"))
| eval nextFriday17 = relative_time(thisFriday17 , "+7d@d+17h")
| eval filterFrom = case( "$xxx_presetTime$"=="This Friday 17:00 UTC - Next Week Friday 17:00 UTC", thisFriday17 , "$xxx_presetTime$"=="custom" , $time_from$ )
| eval filterTo = case( "$xxx_presetTime$"=="This Friday 17:00 UTC - Next Week Friday 17:00 UTC", nextFriday17, "$xxx_presetTime$"=="custom" , $time_to$ )
| eval filterFrom_label = strftime(filterFrom,"%d-%m-%Y- %H:%M:%S")
| eval filterTo_label = strftime(filterTo,"%d-%m-%Y- %H:%M:%S")
| table filterFrom , filterTo,filterFrom_label,filterTo_label</query>
<earliest></earliest>
<latest></latest>
<done>
<set token="from_drill">$result.filterFrom$</set>
<set token="to_drill">$result.filterTo$</set>
<set token="filterFrom_label">$result.filterFrom_label$</set>
<set token="filterTo_label">$result.filterTo_label$</set>
</done>
</search>
The main issue is that no data is displayed even if it should be. Changing the span ruins the results, meaning that Splunk brings data from the LAST Friday until THIS Friday, not from THIS Friday to the upcoming one or 2 weeks
Working in the Advanced Time Span filter and selecting the above throws "The earliest time is invalid"
TEST2
A working code I brought up is the following, but the results captured are from the LAST Friday until THIS Friday, not from THIS Friday to the upcoming 2 weeks. Reducing the time span from the below breaks the code. This broke me too.
| eval thisFriday17 =if( strftime(now(),"%w")=="5",relative_time(now() , "@w5+17h"), relative_time(now() , "+1w@w5+17h"))
| eval next2Friday17 =if( strftime(now(),"%w")=="5",relative_time(now() , "@w5+14d+17h"), relative_time(now() , "+1w@w5+14d+17h"))
| eval filterFrom = case( "$xxx_presetTime$"=="This Friday 17:00 UTC - Next 2 Weeks Friday 17:00 UTC", thisFriday17 , "$xxx_presetTime$"=="custom" , $time_from$ )
| eval filterTo = case( "$xxxx_presetTime$"=="This Friday 17:00 UTC - Next 2 Weeks Friday 17:00 UTC", next2Friday17, "$xxx_presetTime$"=="custom" , $time_to$ )
| eval filterFrom_label = strftime(filterFrom,"%d-%m-%Y- %H:%M:%S")
| eval filterTo_label = strftime(filterTo,"%d-%m-%Y- %H:%M:%S")
| table filterFrom , filterTo,filterFrom_label,filterTo_label
I must mention that the user is not able to change the Preset Time Span I am forcing:
<input type="dropdown" token="xxx_presetTime" searchWhenChanged="true">
<label>Preset Time Span</label>
<choice value="This Friday 17:00 UTC - Next Week Friday 17:00 UTC">This Friday 17:00 UTC - Next Week Friday 17:00 UTC</choice>
Hope I am being clear in exposing my issue. Thanks in advance for your help!
Don't you have some stray spaces or some other characters from copy-pasting?
The "+1w@w5+17h" seems to work OK as a time specs.
That's one thing.
Other - are you sure that your data is properly indexed?
Did you check it?
| tstats count where index=<your index> earliest=now latest=+1y span=1d
Usually when "the search does not return anything when it should" it's simply because the data is not there 😉
Hi @PickleRick ,
Checked for spaces but did not find one loose.
The data is properly indexed as I can find it via your query or using other searches.
Something is not adding up.
to mention I am working in a customized 7.3.6 app