I have hotel bookings created in March 2020 but check-in dates will be after March 2020. How to see future bookings (Check-in date) in splunk for each month from April-2020 until Dec-2021.
I have set the timestamp (input date function) based on Check-in date but could not see results.
I have loaded the data with check-in date and splunk pick ups the time stamp same as check_in date.
I have loaded the data with check-in date and splunk pick ups the time stamp same as check_in date.
No, correct timestamp data is not enough to see the details of future dates in the splunk.
We need to introduce the below configuration in the Props.conf in the path 'local' folder (Do not update in the default folder)
MAX_DAYS_HENCE = 730 (365 * 2, to read 2 years of data from the current date)
Restart the Splunk services and then load the data into Splunk to reflect the future dates in the reports.
Thanks for your hints to resolve this issue.
Does that mean your problem is resolved?
Have you tried adding latest = +1y
to your base query?
I have tried with the selection of timestamp from Jan-2020 until Dec 2020 and Jan-2020 until Dec 2021 but it shows results until Feb-2020 only.
This is my query:
index="alldemo" sourcetype="AllDemoMI_Created" BOOKING_STATUS=CFD AND ((MARKET="") (CLIENT_TOP_NAME="") (CONTENT_SOURCE="") () (CONFIRMEDBY_USER=""))
| eval month_num=strftime(_time,"%m") | eval Month=strftime(_time,"%b %Y")
| stats count as [ search index="alldemo" sourcetype="AllDemoMI_Created" BOOKING_STATUS=CFD AND ((MARKET="") (CLIENT_TOP_NAME="") (CONTENT_SOURCE="") () (CONFIRMEDBY_USER="")) | stats count as "Total Booking" ] by date_year, month_num, Month | sort date_year,month_num | fields - month_num - date_year
_time
is the timestamp of the event
So unless your sourcetype's events timestamp is in the future, this isn't going to work
What field in the event actually holds the check-in date?
I'd find it very surprising to find out that _time
is really the check-in date, and not either when the reservation was made, or when the event goes into Splunk
Let's back up a bit. When were the events created? Bookings for March 2021 made today will (should) have today's date in _time so that is the date you would use for earliest
or latest
. Then you can examine the check-in date to see if it's in the desired range.