one of our dashboards were using below query
| timechart count span=1d cont=false
in 6.6.4 Splunk enterprise, we could see that it can ignore time-frame for missing data when we use cont=false. In 7.2.6
splunk, the results are different, chart shows the timeframe for missing data.
Attached are screenshots for both splunk versions. I can achieve the expected behavior using stats over one of the field, but i will not be able to use the annotations feature of 7.x. Can you help with this issue to show graph non-continuously and ignore the data for missing timeframe.
If you would like to replicate. use below query along with attached lookup file.
| inputlookup FDE_incidents_mec.csv
| sort 0 by time_epoch desc
| addinfo
| where created_time > info_min_time AND created_time < info_max_time OR info_max_time="+Infinity"
| stats count by created_time
| sort created_time
| eval created_time= strftime(created_time,"%d-%b-%y")
↧