Query:
search...| eval earliest=relative_time(strptime("01-February 2017","%d-%B %Y"),"+0mon"), latest=relative_time(earliest,"+1mon")|eventstats first(earliest) as earliest first(latest) as latest |makecontinuous d span=1d start=earliest end=latest | chart .....
This thing gives an error indicating it is not accepting earliest and latest field values.
How can I pass the values of earliest and latest here to makecontinuous
I found a better way to make my chart continuous. It can be done by chart using span=1d and plotting it against _time.
I found a better way to make my chart continuous. It can be done by chart using span=1d and plotting it against _time.
@rishavvaidya, can you please explain how you are getting earliest value to your search? Do you have time picker input or is it some default times selected for search?
latest=relative_time(earliest,"+1mon")
Also is "01-February 2017" a fixed date for earliest?
Please clarify what you are trying to do ans what dashboard elements you currently have because from the description so far seems like there might be a better way create the search rather than what you are attempting.
Thanks
Below is the original query that I am using...
index="idx" |eval d=replace(strptime(update,"%Y-%m-%d"),".\d+","")|eval date=strftime(d,"%B %Y")|where like(date,"February 2017%")|chart count as Count by d |makecontinuous d span=1d |fillnull|eval date=strftime(d,"%Y-%m-%d") | chart values(Count) as Count by date
here I am using "update" field as time field. And month I will get dynamically by passing token from the dropdowns.
My idea is to get the count of events on every day of the month . Even if the day has no event it should give it 0.
I'm using makecontinuous to do that but the issue with this is that it makes the dates continuous only from the first non zero event it finds.
Like if the first non zero event it find is on 3rd of month then it will make the days continuous from that day leaving 1st and 2nd day.
eval earliest=relative_time(strptime("01-February 2017","%d-%B %Y"),"+0mon"), latest=relative_time(earliest,"+1mon")|eventstats first(earliest) as earliest first(latest) as latest |makecontinuous d span=1d start=earliest end=latest