I was not able to upload this under comments. I have 3 bins and have assigned min color as "greenish-yellow" and max color as "Green". Please check.

From settings you can change the color bins. Min color as Red and Max color as Green. It should pick middle color as orange.

Yes.I tried that it gives me three colors no issues in that.But the problem is that the dates are shifted(Friday is displayed with Saturday's data and sunday with Monday's Data).

Can you run just your base search to pull one event? Validate whether the times on the _raw Event matches with _time timestamp for the same event in the Event Viewer? This is to confirm whether your data is in the same timezone as logged in user's timezone or not.

This could also be possible because you are overriding _time field with the field that you have calculated. Would it be possible for you to paste couple of events(mock up or anonymize and sensitive data). If you have Splunk Entitlement, you can also reach out to Splunk Support for them to assist you with your scenario.

Hi, even though I was able to see values for Friday and Monday after changing the timezone to EST but those values were incorrect since my data is in GMT timezone and my user profile is also in Gmt.still having the same issue of Friday data displayed on saturday and Monday data displayed on Tuesday.

@duraij, this seems to be issue with timestamp identification. Please have your Splunk admin look at the issue. You can confirm the same by adding date_hour and date_mday to your base search and validate the event timestamp. For example check if date_hour=23 date_mday=8 date_mday="wednesday" date_month="september", pulls data from wednesday or thursday. Verify _time is in sync with raw data timestamp and date_hour or not.

I am not able to accept anything as Answer .I don't see an option. Reg the data, I see that the values and Dates are right when represented as a table but when I see select the calendarHeatmap Visualization its incorrect.

Have you verified through the following?

 <Your Base Search>
| table _time date_mday date_wday date_hour

If the hour value of date_hour corresponds to hour value of _time, then you should report this issue as bug for Calendar heatmap visualization. I will try to test this out and revert back. Do let me know your Splunk Enterprise Version and Calendar Heatmap version.

Hi,Sorry for the late response.I was not able to run the above command since date_mday date_wday date_hour doesn't give me any results. but as I mentioned earlier "statistical view"/Table provides me the right data but only when I select Calendar Heatmap the data is overlapped and Mondays data is displayed as Sunday's.

HI, You were right the issue was because of the timezone but I still dont see data for some dates but I will figure that out.Thanks a lot. Can you convert your comment to answer so that I can accept it.Thanks.

Thanks a lot for response.But I don't get any results for the query.I drill down that the timechart command is not fetching me any results for GCTime and BankCTime (timechart span=1d values(BankCTime) as BankCTime values(GCTime) as GCTime).whereas when I use anyother command like "chart values(BankCTime) as BankCTime values(GCTime) as GCTime" or "table BankCtime GCTime" gives the result.Please let me know what I am missing.

In your last example table prior to my answer, you have mentioned String Date field DATE however, in your initial clarification it was COBDATE. Please ensure you are converting correct date field from string time to epoch time.

If it is COBDATE, use the following prior to timechart command

| eval _time=strptime(COBDATE,"%Y%m%d")
PS: Timechart will work with _time field containing epoch time. So you should convert String Date field to epoch and assign the same to _time.

Also based on your clarification per day you should have only one GCTime and BankCTime for values() to work or else you might have to use max() or last() instead of values(). For example: max(GCTime) or last(GCTime).

Hi ,Yes I am converting my Date(COBDATE) to EpochTime. and yes I have only one value of GCTime and BankCTime per day.

If you run command | table _time GCTime BankCTime are you seeing expected results? Ideally timechart should work then.

You mentioned that chart command was working fine for you. Can you try using chart as timechart command by introducing by _time clause and also span=1d for daily bucket?

| chart span=1d values(BankCTime) as BankCTime values(GCTime) as GCTime by _time

Thanks and appreciate your replies.Yes Chart ,table commands worked issue was only with timechart seems weird. But I was able to do a work around.
Thanks

Can you please post the workaround for other's reference?
Were you able to try out chart with span=1d and aggregated by _time?

Sure.Span cannot be used with chart command as far as I know. Also tried it, dint work.

Yes span is available with chart command: https://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/Chart#Span_options

If you have tried span with chart and it did not work, can you post the command that you tried?

Further, if chart command is working for you and chart along with span and split by _time is not working, then it will confirm that _time field is not available when you are trying to plot the chart. For which you will need a command like | eval _time=strptime(COBDATE,"%Y%m%d") before calling the chart command as I had mentioned earlier.

In any case if you have solved your issue with a work-around, you can post the same for other's reference and close this 🙂