Dashboards & Visualizations
Highlighted

After the Daylight Savings Time change, why am I not getting results using the timewrap command?

New Member

We have some dashboards running searches with timewrap. I have noticed that after the Daylight Savings Time (DST) change on 03/12/2017 night, our searches are giving "0" as a result, whereas I can see the result is something different. I have taken the search and run it in parts and when I reached to the last part where I run the timewrap, the result gets erroneous.

Is there any way to check and fix the time somewhere?

Noman Syed

0 Karma
Highlighted

Re: After the Daylight Savings Time change, why am I not getting results using the timewrap command?

Legend

What do you see when you look at the underlying data, in a simple search?

Splunk does not do anything about Daylight Savings Time or British Summer Time, etc.
As data arrives in Splunk and is parsed, the timestamps are calculated in UTC and stored with the events in the Splunk index.
The events are displayed in the timezone that the user chooses in their personal settings.

So if something has abruptly changed, I would examine: Did something change on the systems that generate the data? Is there a timezone explicitly specified in the timestamp (that would be nice)? Is the timestamp in the incoming data correct? When the data is parsed, are there any props.conf settings that might change how the timestamp is interpreted?
Here is the documentation for How timestamp assignment works.

0 Karma
Highlighted

Re: After the Daylight Savings Time change, why am I not getting results using the timewrap command?

New Member

alt text
alt text

If I remove the TIMEWRAP command from the search, I get the correct result but as soon as I put the TIMEWRAP command back in the search, it produces 0 as a result. Screenshots are attached.

0 Karma
Highlighted

Re: After the Daylight Savings Time change, why am I not getting results using the timewrap command?

Legend

You should not be using timewrap when you want to display a single value result as you show in your comment. So it is correct to remove the timewrap command.

0 Karma