Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does the time picker not work properly with customized formatted _time?

xinde
Path Finder
‎01-30-2018 10:38 AM

Hi,

In my query, the time stamp is created from the event content.

| rex "(?\d+\/\d+\/\d+\/\d+\/\d+\/\d+) (?\d*\.\d+|[[int]]) (?\d*\.\d+|[[int]])"
| eval _time=strptime(Time,"%Y/%m/%d/%H/%M/%S")  
| chart somevalues by _time

Graph works well. but when I try to use Splunk time picker, last x hours does not return last x hours events.
it returns events from days ago.
Anyone knows what happened here? Thanks in advance!

EG:

event content: 2018/1/30/12/0/30 0.1 2.1
 _time: 2018-01-30T12:00:30.000-05:00
0 Karma
Reply

raviopensource
Engager
‎07-28-2019 09:29 AM

same problem here. Once the _time is customized the time picker results do not work.

0 Karma
Reply

niketn
Legend
‎01-30-2018 12:10 PM

@xinde, the regular expression that you are using in SPL to extract Time and override _time field should be applied to your data's sourcetype using props.conf so that events get correct timestamp. If you do not provide this, Splunk will pick from one of its default logic to identify timestamp (_time), which is what will be used by the Time Picker control.

If time extracted in SPL is correct and does not match with original _time field on the events then you have an issue with your data ingestion and you should fix event timestamp identification first. Also the data that you have already indexed will have wrong timestamp which means existing data needs to be re-indexed if you need them.

Documentation for reference:
http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps
http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎01-30-2018 12:54 PM

@xinde, I have converted to answer. Please accept if it addressed your query!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...