Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does the time picker not work properly with customized formatted _time?

xinde
Path Finder
‎01-30-2018 10:38 AM

Hi,

In my query, the time stamp is created from the event content.

| rex "(?\d+\/\d+\/\d+\/\d+\/\d+\/\d+) (?\d*\.\d+|[[int]]) (?\d*\.\d+|[[int]])"
| eval _time=strptime(Time,"%Y/%m/%d/%H/%M/%S")  
| chart somevalues by _time

Graph works well. but when I try to use Splunk time picker, last x hours does not return last x hours events.
it returns events from days ago.
Anyone knows what happened here? Thanks in advance!

EG:

event content: 2018/1/30/12/0/30 0.1 2.1
 _time: 2018-01-30T12:00:30.000-05:00
0 Karma
Reply

raviopensource
Engager
‎07-28-2019 09:29 AM

same problem here. Once the _time is customized the time picker results do not work.

0 Karma
Reply

niketn
Legend
‎01-30-2018 12:10 PM

@xinde, the regular expression that you are using in SPL to extract Time and override _time field should be applied to your data's sourcetype using props.conf so that events get correct timestamp. If you do not provide this, Splunk will pick from one of its default logic to identify timestamp (_time), which is what will be used by the Time Picker control.

If time extracted in SPL is correct and does not match with original _time field on the events then you have an issue with your data ingestion and you should fix event timestamp identification first. Also the data that you have already indexed will have wrong timestamp which means existing data needs to be re-indexed if you need them.

Documentation for reference:
http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps
http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎01-30-2018 12:54 PM

@xinde, I have converted to answer. Please accept if it addressed your query!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...