Deployment Architecture
Highlighted

Why does the bucket command on _time with span=12h only return odd numbers (11:00, 23:00), not even (12:00, 24:00)?

Contributor

Hi All,

I am doing a simple bucketing of events and counting it. But when i bucket the events its always does it in odd numbers, but i want to do it in even numbers.
for eg:

index=abc | bucket _time span=12h | stats count by _time

i get buckets as 23:00,11:00,23:00 - odd numbers
but i want 12:00, 24:00 - even numbers.

How can i achieve this ?

Thanks in Advance

KK

Tags (2)
0 Karma
Highlighted

Re: Why does the bucket command on _time with span=12h only return odd numbers (11:00, 23:00), not even (12:00, 24:00)?

Motivator

Seems to be some sort of bucket display offset display calculation?

For example a 6 hour span using -1@d to @d gives the buckets consisting of :

Bucket 1
00:00
01
02
03
04
05:59

Bucket 2
06:00
...
11:59

and so on.

So I guess that it then needs to put this data against some _time value. It seems to get put against something that is within the bucketed time frame rounded to the largest of the time type (in this case hours) this gives 05. If we displayed it with an extra hour then it would fit the expected display aswell as having the correct events inside.

index=_internal host=blah | bucket _time span=6h | eval new=_time+3600 | rename new AS _time | timechart count

This creates the buckets with the expected "display" time frames.

So for your search

index=abc | bucket _time span=12h | eval new=_time+3600 | rename new AS _time | stats count by _time

A similar issue is discussed in the following threads.
http://answers.splunk.com/answers/68016/bucket-command-time-boundary-issues.html
http://answers.splunk.com/answers/33523/timechart-span-starting-at-specified-point.html

I have no idea of the root cause however.

0 Karma
Highlighted

Re: Why does the bucket command on _time with span=12h only return odd numbers (11:00, 23:00), not even (12:00, 24:00)?

Builder

Whats the timezone set in Indexers and Search head?

0 Karma
Highlighted

Re: Why does the bucket command on _time with span=12h only return odd numbers (11:00, 23:00), not even (12:00, 24:00)?

Contributor

Indexers on UTC
Search Head on EDST

0 Karma
Highlighted

Re: Why does the bucket command on _time with span=12h only return odd numbers (11:00, 23:00), not even (12:00, 24:00)?

Motivator

Even when logged on directly to an index running UTC and performing the same search from an account running utc timezone you get odd numbers so I highly doubt its a timezone offset issue.

0 Karma
Highlighted

Re: Why does the bucket command on _time with span=12h only return odd numbers (11:00, 23:00), not even (12:00, 24:00)?

Motivator

sorry i was wrong. This is a timezone issue.

The bucketing occurs on the search peer as such takes the peers timezone.

0 Karma