Splunk Enterprise 6.5.2
Trying to get 12 hour span reporting Midnight to noon, noon to midnight.
A simplified version of my search is : index=_internal | bin _time span=12h | stats count by _time
For some reason, the intervals are calculating 19:00 to 07:00, 07:00 to 19:00
2018-04-20 07:00 2878932
2018-04-20 19:00 8825546
2018-04-21 07:00 5538945
2018-04-21 19:00 1476846
2018-04-22 07:00 4373903
2018-04-22 19:00 5332040
2018-04-23 07:00 1636378
2018-04-23 19:00 9937520
2018-04-24 07:00 11197284
2018-04-24 19:00 7186629
2018-04-25 07:00 3561015
2018-04-25 19:00 9161603
2018-04-26 07:00 7798990
2018-04-26 19:00 4544852
Is this a "Feature" or a bug
I manually built what
bin automagically does. The
relative_time call rounds
_time down to the beginning of the current day. The
strftime call calculates
HHMM offset for the current day and if that is < 1200, adds nothing to the rounded-down-to-start-of-day
_time, otherwise adds 12-hours of seconds (12 * 60 *60) to it. Then it drops the microphone.
Any chance your events are in a different timezone than your user preference, thus the time value shown for the event is different than the time of the event itself, which is what would be used by
I'm willing to bet your UI is configured to show events in ET. That would explain why a time that you'd expect to be at 12:00 would be displayed on your side as 07:00.
To check this:
Your Name (on the top bar of the page) -> Account Settings
Examine what's shown for Time zone under the Global heading.
Did some research with our SE, Nimish.
When the Time Zone is anything other than "Default System Timezone", you get some calculation of a different time.
when timezone = CT (-0600) span time starts 19:00
when timezone = Chennai (+0530) time starts @ 17:30
When timezone = ET (-0500) time starts @ 20:00
When timezone = Default System Timezone time starts @ 00:00
I have tried added earliest =-7d@d to try to force it to look at full days. Same results.