Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for events that have not happened

sheltonr
Engager
‎10-26-2010 06:21 PM

When we 'fall back' one hour for Daylight Savings Time, I'd like to run a search that would reveal those log sources that didn't adjust correctly (their event timestamps will be one hour in the future.) What might the syntax for such a search look like? Thank you!

Tags (1)
Reply
2 Solutions
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-26-2010 06:25 PM

The way I've usually seen this done is to compare _time to _indextime.

_time is the time extracted from the event's text, as the number of seconds since 1970

_indextime is the time the event was indexed, according to the local system clock (also number of seconds since 1970).

so if you use eval to look for this difference you should have what you need.

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎10-27-2010 04:45 PM

Ah, the nefarious "future event".

For a lightweight approach, how about:

| metadata type=hosts | eval now = now() | where latestTime > now

View solution in original post

0 Karma
Reply
Solved! Jump to solution

cudgel
Path Finder
‎11-04-2010 02:22 PM

How well does the search "| metadata type=hosts | eval now = now() | where latestTime > now" work in a scheduled search? I seem to get a huge load of results for hosts off by as much as 2-3 minutes because of what - now() evaluates to when the search is scheduled to run? If I run the search manually, e.g. over the past hour, it seems to return accurate results.

0 Karma
Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎10-27-2010 04:45 PM

Ah, the nefarious "future event".

For a lightweight approach, how about:

| metadata type=hosts | eval now = now() | where latestTime > now
0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎10-26-2010 06:25 PM

The way I've usually seen this done is to compare _time to _indextime.

_time is the time extracted from the event's text, as the number of seconds since 1970

_indextime is the time the event was indexed, according to the local system clock (also number of seconds since 1970).

so if you use eval to look for this difference you should have what you need.

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎10-27-2010 10:04 PM

Well more generally you want to see anywhere where there's a delta between _indexTime and _time If both sides respect DST there's no issue. If only one respects DST there'll be a persistent delta suddenly, and if they're slightly off there'll be a delta for some small slice of time and then it'll go away. And in each case which direction the delta goes depends on which side is observing DST and which is not.

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎10-27-2010 04:43 PM

This assumes that your Splunk servers' clocks are affected by DST 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...