topic Re: bin span behaving wierd in Reporting

bin span behaving wierd

rk60422 — Fri, 27 Apr 2018 03:11:03 GMT

Splunk Enterprise 6.5.2

Trying to get 12 hour span reporting Midnight to noon, noon to midnight.

A simplified version of my search is : index=_internal | bin _time span=12h | stats count by _time

For some reason, the intervals are calculating 19:00 to 07:00, 07:00 to 19:00
2018-04-20 07:00 2878932

2018-04-20 19:00 8825546

2018-04-21 07:00 5538945

2018-04-21 19:00 1476846

2018-04-22 07:00 4373903

2018-04-22 19:00 5332040

2018-04-23 07:00 1636378

2018-04-23 19:00 9937520

2018-04-24 07:00 11197284

2018-04-24 19:00 7186629

2018-04-25 07:00 3561015

2018-04-25 19:00 9161603

2018-04-26 07:00 7798990

2018-04-26 19:00 4544852

Is this a "Feature" or a bug

Re: bin span behaving wierd

micahkemp — Fri, 27 Apr 2018 03:21:02 GMT

Any chance your events are in a different timezone than your user preference, thus the time value shown for the event is different than the time of the event itself, which is what would be used by bin?

Re: bin span behaving wierd

rk60422 — Fri, 27 Apr 2018 09:39:19 GMT

Events are based on ET -0500.
I am in CT -0600

It does not matter what time of day you run it.

Re: bin span behaving wierd

ndoshi — Fri, 27 Apr 2018 12:31:08 GMT

Put in an earliest flag in the search to snap to the beginning of the day?

Something like earliest=-2d@d

Re: bin span behaving wierd

micahkemp — Fri, 27 Apr 2018 13:26:43 GMT

I'm willing to bet your UI is configured to show events in ET. That would explain why a time that you'd expect to be at 12:00 would be displayed on your side as 07:00.

To check this:

Your Name (on the top bar of the page) -> Account Settings

Examine what's shown for Time zone under the Global heading.

Re: bin span behaving wierd

rk60422 — Fri, 27 Apr 2018 14:45:39 GMT

Did some research with our SE, Nimish.
When the Time Zone is anything other than "Default System Timezone", you get some calculation of a different time.
when timezone = CT (-0600) span time starts 19:00
when timezone = Chennai (+0530) time starts @ 17:30
When timezone = ET (-0500) time starts @ 20:00
When timezone = Default System Timezone time starts @ 00:00

I have tried added earliest =-7d@d to try to force it to look at full days. Same results.

Re: bin span behaving wierd

woodcock — Mon, 30 Apr 2018 19:02:26 GMT

Instead of this:

| bin _time span=12h ...

Try this:

| eval _time = relative_time(_time, "@d") + if((tonumber(strftime(_time, "%H%M")) < 1200), 0, (12 * 60 * 60)) ...

Re: bin span behaving wierd

macadminrohit — Mon, 30 Apr 2018 21:19:31 GMT

Can you explain how you did this. I am having hard time to understand this calculation.

Re: bin span behaving wierd

woodcock — Mon, 30 Apr 2018 21:37:39 GMT

I manually built what bin automagically does. The relative_time call rounds _time down to the beginning of the current day. The strftime call calculates HHMM offset for the current day and if that is < 1200, adds nothing to the rounded-down-to-start-of-day _time, otherwise adds 12-hours of seconds (12 * 60 *60) to it. Then it drops the microphone.