Dear Experts
My search:
index="pm-azlm_internal_prod_events" sourcetype="azlmj"
[| inputlookup pm-azlm-reg-ocp-team
| search team IN (Bern)
| fields ocp ]
| strcat ocp "_" fr "_" el unique_id
| fields _time ocp fr el unique_id d_id
| search d_id IN ("DIAG_131", "DIAG_132")
```| timechart span=1d limit=0 count by unique_id```
| table _time unique_id d_idProduces data like:
_time unique_id d_id
2025-09-04 05:03:57 THO_1-B_SEC_FLM-13w DIAG_132
2025-09-04 10:52:27 THO_1-B_SEC_FLM-10w DIAG_132
2025-09-04 10:52:33 THO_1-B_SEC_FLM-10w DIAG_131
2025-09-04 10:52:34 THO_1-B_SEC_FLM-10w DIAG_132
2025-09-04 10:53:50 THO_1-B_SEC_FLM-10w DIAG_131
2025-09-04 10:54:23 THO_1-B_SEC_FLM-10w DIAG_132
2025-09-04 10:57:29 THO_1-B_SEC_FLM-10w DIAG_131
2025-09-04 10:57:32 THO_1-B_SEC_FLM-10w DIAG_132
2025-09-04 10:58:22 THO_1-B_SEC_FLM-10w DIAG_132
2025-09-04 10:58:22 THO_1-B_SEC_FLM-10w DIAG_131
In total 132 lines.
Creating from the data a timechart in the Splunk Search (enabling the commented line above, and commenting the table line) will show the graph in the upper half of the image below.
The same graph I get if I create a timechart in an old Splunk dashboard.
Time range is Sep 04 00:00 until Sep 10 24:00
The lower graph is from Dashboard Studio with exactly the same search. The data from Sep 04 is just partially shown. This without any indication that some data will be missing.
If I reduce the time range in Dashboard Studio to Sep 04 00:00 until Sep 09 24:00 the data displayed for Sep 04 will be correct.
For me it looks like there is a limitation in Dashboard Studio timechart in terms of the max amount of data which can be displayed.
Question: Is there anybody who can confirm that a Dashboard Studio timechart can not display the same amount of data as in the Search Window or in the old Dashboards?
Question: there a way to "fix" this?
Thank you for your help
