- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Re: bin span behaving wierd
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bin span behaving wierd
Splunk Enterprise 6.5.2
Trying to get 12 hour span reporting Midnight to noon, noon to midnight.
A simplified version of my search is : index=_internal | bin _time span=12h | stats count by _time
For some reason, the intervals are calculating 19:00 to 07:00, 07:00 to 19:00
2018-04-20 07:00 2878932
2018-04-20 19:00 8825546
2018-04-21 07:00 5538945
2018-04-21 19:00 1476846
2018-04-22 07:00 4373903
2018-04-22 19:00 5332040
2018-04-23 07:00 1636378
2018-04-23 19:00 9937520
2018-04-24 07:00 11197284
2018-04-24 19:00 7186629
2018-04-25 07:00 3561015
2018-04-25 19:00 9161603
2018-04-26 07:00 7798990
2018-04-26 19:00 4544852
Is this a "Feature" or a bug
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of this:
| bin _time span=12h ...
Try this:
| eval _time = relative_time(_time, "@d") + if((tonumber(strftime(_time, "%H%M")) < 1200), 0, (12 * 60 * 60)) ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you explain how you did this. I am having hard time to understand this calculation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I manually built what bin automagically does. The relative_time call rounds _time down to the beginning of the current day. The strftime call calculates HHMM offset for the current day and if that is < 1200, adds nothing to the rounded-down-to-start-of-day _time, otherwise adds 12-hours of seconds (12 * 60 *60) to it. Then it drops the microphone.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Put in an earliest flag in the search to snap to the beginning of the day?
Something like earliest=-2d@d
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any chance your events are in a different timezone than your user preference, thus the time value shown for the event is different than the time of the event itself, which is what would be used by bin?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Events are based on ET -0500.
I am in CT -0600
It does not matter what time of day you run it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm willing to bet your UI is configured to show events in ET. That would explain why a time that you'd expect to be at 12:00 would be displayed on your side as 07:00.
To check this:
Your Name (on the top bar of the page) -> Account Settings
Examine what's shown for Time zone under the Global heading.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did some research with our SE, Nimish.
When the Time Zone is anything other than "Default System Timezone", you get some calculation of a different time.
when timezone = CT (-0600) span time starts 19:00
when timezone = Chennai (+0530) time starts @ 17:30
When timezone = ET (-0500) time starts @ 20:00
When timezone = Default System Timezone time starts @ 00:00
I have tried added earliest =-7d@d to try to force it to look at full days. Same results.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
