latest events which are indexed are not pulled cor...

k_harini · ‎01-17-2018

I have real time events pulled through rest api call. The latest events are present in index but not visible when we select time filter as 4 hours. Events are visible with All time filter.
what could be the issue
(before 1/17/18 12:07:20.000 PM) This is what i see when i select all time

But in events - I see this 1/17/18
5:12:47.000 PM and events with _time=2018-01-17 17:12:47

so when filter is selected as 4 hours events are not visible. Kindly help.. its urgent
DATETIME_CONFIG =
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ=UTC

mayurr98 · ‎01-17-2018

can you show some sample events?

k_harini · ‎01-17-2018

_time=2018-01-17 17:12:47,u_comments="",child_incidents="0",sys_tags="",u_sla="",u_resolved="",work_notes_list="",work_end="",u_approve_reject="",u_priority_type="Downgrade",approval_history="",u_external_reference_id="",rfc="",u_resolved_by="",sla_due="UNKNOWN",u_peer="",u_proposed_critical="false",u_production_server_risk="false",u_business_unit="De Beers Canada"

This is one sample event

k_harini · ‎01-17-2018

I guess this is issue with timezone.. its indexing ahead of time and not shown in time filter. How to correct this?

mayurr98 · ‎01-17-2018

hey, check your server time. I had faced this kind of issues NTP synchronization at server level would solve your issue
let me know if it helps!

k_harini · ‎01-17-2018

Should the props.conf be as per server time?

mayurr98 · ‎01-17-2018

Nope but your files should !

493669 · ‎01-17-2018

is your data is coming from database?
your eventtime(_time) is ahead of time so you are not getting result when you search for last 4 hrs and getting result when search for all time

latest events which are indexed are not pulled correctly based on time filter

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life