Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk graphs the future

kwaingrow
Path Finder
‎03-27-2013 03:07 PM

I'm running Splunk version: 4.2.3-105575

Searcher and indexers are all set to GMT which may be the cause. Looking at all the events of a particular sourcetype, the Index time, Source time, and even the bar graph Display time are all correct, but the bar graph believes there is 8 hours of data missing in the future. This is affect other graphs we build off and affects our analysis trending. http://www.ugu.com/splunk/gap8hr.jpg

0 Karma
Reply

gfuente
Motivator
‎04-01-2013 02:35 AM

Hello

Have you checked the timezone settings for your user?

Regards

0 Karma
Reply

kwaingrow
Path Finder
‎04-01-2013 09:25 AM

All other primary splunk conf files (inputs, props, transforms, server, web, etc…) are the same between indexer0001 and indexer022. It also worth noting that the issue does not appear with "some" of the other sourcetypes on indexer022.

Could there be a hidden conf somewhere that has a stanza uniquely configured for this sourcetype (servicelog) and a few others. I haven't found anything in the normal config files.

0 Karma
Reply

kwaingrow
Path Finder
‎04-01-2013 09:24 AM

Yes. Further investigating reveals.

All splunk servers are running Linux Centos 5.x, all have the same Splunk version: 4.2.3-105575

From the Searcher, the following exhibits the gap between PDT and UTC on our standard OS built indexers (as seen in the attached link above). This we know already know.
sourcetype="servicelog" earliest=-8h splunk_server="indexer022"

We have an indexer on an old non-standard OS that everything works fine and there is no gap.

Also worth noting that the issue does not appear with "some" of the other sourcetypes on indexer022.

An help is greatly appreciated...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...