Getting Data In

latest events which are indexed are not pulled correctly based on time filter

k_harini
Communicator

I have real time events pulled through rest api call. The latest events are present in index but not visible when we select time filter as 4 hours. Events are visible with All time filter.
what could be the issue
(before 1/17/18 12:07:20.000 PM) This is what i see when i select all time

But in events - I see this 1/17/18
5:12:47.000 PM and events with _time=2018-01-17 17:12:47

so when filter is selected as 4 hours events are not visible. Kindly help.. its urgent
DATETIME_CONFIG =
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ=UTC

Tags (1)
0 Karma

mayurr98
Super Champion

can you show some sample events?

0 Karma

k_harini
Communicator

_time=2018-01-17 17:12:47,u_comments="",child_incidents="0",sys_tags="",u_sla="",u_resolved="",work_notes_list="",work_end="",u_approve_reject="",u_priority_type="Downgrade",approval_history="",u_external_reference_id="",rfc="",u_resolved_by="",sla_due="UNKNOWN",u_peer="",u_proposed_critical="false",u_production_server_risk="false",u_business_unit="De Beers Canada"

This is one sample event

0 Karma

k_harini
Communicator

I guess this is issue with timezone.. its indexing ahead of time and not shown in time filter. How to correct this?

0 Karma

mayurr98
Super Champion

hey, check your server time. I had faced this kind of issues NTP synchronization at server level would solve your issue
let me know if it helps!

0 Karma

k_harini
Communicator

Should the props.conf be as per server time?

0 Karma

mayurr98
Super Champion

Nope but your files should !

0 Karma

493669
Super Champion

is your data is coming from database?
your eventtime(_time) is ahead of time so you are not getting result when you search for last 4 hrs and getting result when search for all time

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...