topic Re: Timechart visualization does not match statistics in Splunk Search

Timechart visualization does not match statistics

Sukisen1981 — Wed, 30 Sep 2020 04:54:14 GMT

I have a csv with just 2 columns Time & memory. the events look like this, so this is basically a csv extract of a server memory utilization for April 3rd from 12:00 AM - 11:30 PM at an interval of 10 mins.
Time Event
4/3/20 4/3/2020 23:34,98%
11:34:00.000 PM

When i run a very simple query - index="memory"|timechart count
The statistics tab looks ok

however for some reason the visulaization tab is pushed back and starts from April 2nd

Of course i thought it to be an issue with the time modifiers and tried tinkering like this
index="memory" |rex field=_raw "(?.*?)\,"|eval time=strptime(time,"%m/%d/%Y %H:%M")|eval _time=time |timechart count
In the rex for 'time' I am extracting it from the event(_raw) and NOT the first CSV columb 'Time'.
BUT the output remains the same, namely the issue is the statistics tab looks absolutely correct but the viz tab gets pushed back .
Any clues?

Re: Timechart visualization does not match statistics

richgalloway — Sat, 04 Apr 2020 17:04:35 GMT

Have you tried changing the time picker from "All time" to the window you expect for the viz?

Re: Timechart visualization does not match statistics

Sukisen1981 — Sat, 04 Apr 2020 19:45:16 GMT

hi @richgalloway - Strange, when i changed the time picker to last 24 hrs...i got a 'no results found'. I uploaded the CSV today. At any rate why would the time picker be affecting just the visualization and NOT the stats tab?
Is this a bug?

Re: Timechart visualization does not match statistics

to4kawa — Sat, 04 Apr 2020 21:26:54 GMT

your props.conf is not DATETIME_CONFIG = current
check props.conf

Re: Timechart visualization does not match statistics

richgalloway — Sat, 04 Apr 2020 21:27:01 GMT

It certainly is strange.
When you uploaded the data is not as relevant as the _time value for the events. That is what Splunk looks at to satisfy the time picker.

Re: Timechart visualization does not match statistics

Sukisen1981 — Wed, 30 Sep 2020 04:52:27 GMT

hi @to4kawa . I suspected that, but didn't work. below is my settings in props.conf under local for the relevant sourcetype

[mem]
DATETIME_CONFIG = current
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

Re: Timechart visualization does not match statistics

Sukisen1981 — Wed, 30 Sep 2020 04:52:30 GMT

Hi @richgalloway and @to4kawa
I am happy to say that the issue is fixed and I want to apologize for wasting your time as well. Now, this is my local version and I am in India (Kolkata,Chennai etc time zone). I noticed that the events were getting pushed back by 5.5 hours in the timechart viz, which means I was getting defaulted to GMT.
So, I did 2 steps
1- I uploaded the CSV fresh, and went for advanced extraction, under the timezone, I set the time zone for India

2- I am logging in as admin and I changed the admin user's timezone to IST.

I am sure probably step 2 is all that is needed, but hey am not tinkering anything now. I am sorry once again, I should have specified the time zone gap(that events were getting defaulted to GMT and not IST) in my original post.
I have lingering doubts though, because once I change the _time settings forcefully with an extracted filed and set _time=extracte_time...irrespective of the timezone settings the timehchart viz should work , but maybe I am wrong.
Once again sorry for the bother, it was my mistake. I forgot this was my local and not my customer's splunk instance where timezones are already set up by the admin team 🙂 🙂