Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Trigger time is Populate different in incident review tab

sahiltcs1
Loves-to-Learn
‎01-05-2021 06:54 PM

We have created two use cases and set up correlation search, Trigger time is every 10 minutes.

When notable event generate in incident review tab, What we observer there is fluctuation in time, trigger time and notable event time are different.

Please refer below screenshot for time difference highlighted.

Trigger time:

1/6/21 4:06:45.000 AM
Audit
User Account x was Locked out by Host
 

 

Adaptive Responses: 
Response Mode Time User Status
Notablesaved2021-01-05T17:12:35+1100  success

 

Need to understand why there is time difference?

 

Thanks,

Sahil

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-06-2021 12:08 AM

The only think I can suggest is there may be a wrong timestamped event on EventID=4725 or 4722. Since you are using "latest(_time) as _time" it will try to get the latest event sorted by _time. Please check if the correlation search that creates mismatched times has wrong timestamped data. You should be see this by running these searches and checking _time field.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-05-2021 11:47 PM

If you can share your correlation search maybe we can investigate better.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

sahiltcs1
Loves-to-Learn
‎01-05-2021 11:49 PM

first one-

| tstats summariesonly=f allow_old_summaries=t count latest(_time) as _time from datamodel="Change"
where All_Changes.result_id=4725 by All_Changes.dest All_Changes.action All_Changes.result All_Changes.user All_Changes.Account_Management.src_user
| rename All_Changes.* as * , Account_Management.* as * | convert timeformat="%Y/%m/%d %T" ctime(_time) as _time

 

2nd one-

| tstats summariesonly=f allow_old_summaries=t count latest(_time) as _time from datamodel="Change"
where All_Changes.result_id=4722 by All_Changes.dest All_Changes.action All_Changes.result All_Changes.user All_Changes.Account_Management.src_user
| rename All_Changes.* as * , Account_Management.* as * | convert timeformat="%Y/%m/%d %T" ctime(_time) as _time

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-05-2021 09:22 PM

Hi @sahiltcs1,

On your sample Trigger time and Notable times are shown in different time zones. I assume your question is this  ~6 minutes delay on notable event time.

Since you are running correlation search on every 10 minutes, I assume your time range is something like -10m@m . Incident Review tab shows the actual event time that caused that notable. But notable time is the time that your correlation search finalizes by finding a result.

That is why it is normal that this time can be 0 to 10m before the notable event creation time.  

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

sahiltcs1
Loves-to-Learn
‎01-05-2021 11:42 PM

I don't think so its time zone issue, because other use cases we set up same condition and and in that use case we can see same time  there is no delay, But for this use case we are facing this issues

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...