Archive

Why does endEpoch field of dbinspect shows last event timestamp as way into the future when it actually appear not to be ?

Path Finder

Hello splunkers,

This is probably some kind of expected behavior but I would still like to confirm. I noticed that dbinspect shows endEpoch time well into the future (some 12h into the future), when it actually is not (this is _internal index for one thing and I double checked date time in indexers and sh's).

endEpoch: The timestamp for the last event in the bucket, which is the time-edge of the bucket furthest towards the future. Is what dbinspect documentation says. Does that actually mean timestamp of last event that bucket can hold as opposed to the last event in the bucket currently ? Splunk version for indexers is 6.5.5 and sh's is 6.5.6

| dbinspect index=_internal state=hot | convert ctime(endEpoch) AS latestTime | convert ctime(startEpoch) AS earliestTime| sort - endEpoch | fields latestTime, splunk_server

Thanks in advance

0 Karma
1 Solution

Ultra Champion

This should only occur if you have events in that index with a future date - Have you tried looking in the relevant index for any events which have bad timestamps?

View solution in original post

Ultra Champion

This should only occur if you have events in that index with a future date - Have you tried looking in the relevant index for any events which have bad timestamps?

View solution in original post

Path Finder

hi, that was why I tried with _internal so that there wont be things like a bad time stamp extraction in the way and as mentioned in the question time and date in sh's and indexers are correct

0 Karma

Ultra Champion

Thats normally true, but some modular inputs etc write logs to internal, and i have seen some pretty screwy errors.

What do you get from |tstats latest(_time) where index=_internal how does that timestamp compare with dbinspect?

0 Karma

Path Finder

thanks for the tip. tstats also reported the event in future, but now I could easily look for host and source and they say where the problem is, it was from a forwarder:
|tstats latest(_time) where index=_internal host=my_fwd by source for All Time

It was indeed coming from modular inputs
C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunk-powershell.ps1.log

0 Karma

Path Finder

This is not a timezone issue, epoch time itself is in future, some 12h
| dbinspect index=_internal state=hot | convert ctime(endEpoch) AS latestTime | sort - endEpoch | fields endEpoch, splunk_server

0 Karma

Champion

Hi murikadan,

Could you please check in user's general setting, which timezone is set? Is it system default or some custom timezone?

0 Karma

Path Finder

Its not timezone, I will add that to question.

0 Karma

Champion

Hi,

I tried below search and its showing exact time as system time. But when i changed my timezone of user it add that much time in endEpoch.

| dbinspect index=_internal state=hot | convert ctime(endEpoch) AS latestTime | convert ctime(startEpoch) AS earliestTime| sort - endEpoch | fields latestTime, splunk_server

0 Karma