I have real time events pulled through rest api call. The latest events are present in index but not visible when we select time filter as 4 hours. Events are visible with All time filter.
what could be the issue
(before 1/17/18 12:07:20.000 PM) This is what i see when i select all time
But in events - I see this 1/17/18
5:12:47.000 PM and events with _time=2018-01-17 17:12:47
so when filter is selected as 4 hours events are not visible. Kindly help.. its urgent
DATETIME_CONFIG =
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ=UTC
can you show some sample events?
_time=2018-01-17 17:12:47,u_comments="",child_incidents="0",sys_tags="",u_sla="",u_resolved="",work_notes_list="",work_end="",u_approve_reject="",u_priority_type="Downgrade",approval_history="",u_external_reference_id="",rfc="",u_resolved_by="",sla_due="UNKNOWN",u_peer="",u_proposed_critical="false",u_production_server_risk="false",u_business_unit="De Beers Canada"
This is one sample event
I guess this is issue with timezone.. its indexing ahead of time and not shown in time filter. How to correct this?
hey, check your server time. I had faced this kind of issues NTP synchronization at server level would solve your issue
let me know if it helps!
Should the props.conf be as per server time?
Nope but your files should !
is your data is coming from database?
your eventtime(_time) is ahead of time so you are not getting result when you search for last 4 hrs and getting result when search for all time