I have the following source:
</input>
<input type="time" token="timeRange" searchWhenChanged="true">
<label>Select Time Range:</label>
<default>
<earliest>0</earliest>
<latest></latest>
</default>
</input>...
<search>
<query>host=$host$ source="/etc/myproject/logs/myproject.log" "msgType=Notification" |bucket _time span=day |stats count by _time</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
</search>
I see correct results in visualization, but when I click on any of the results on chart, the drilldown doesn't the results because the Date Time Range is rendered incorrect. I see zero results for the search query as Date Time Range is
(21/03/2019 00:00:00.000 to 21/03/2019 00:00:00.01).
How to overcome this and get the right time range?
@ananth402,
It seems like bucket/bin always snaps to the date on drilldown and does not give the range.
You may try timechart span=day count
which should give you events from the start of the day to end of day.
<query>host=$host$ source="/etc/myproject/logs/myproject.log" "msgType=Notification" |timechart span=day count</query>
Try and verify your results.
@ananth402,
It seems like bucket/bin always snaps to the date on drilldown and does not give the range.
You may try timechart span=day count
which should give you events from the start of the day to end of day.
<query>host=$host$ source="/etc/myproject/logs/myproject.log" "msgType=Notification" |timechart span=day count</query>
Try and verify your results.