Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- latest events which are indexed are not pulled cor...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
latest events which are indexed are not pulled correctly based on time filter
I have real time events pulled through rest api call. The latest events are present in index but not visible when we select time filter as 4 hours. Events are visible with All time filter.
what could be the issue
(before 1/17/18 12:07:20.000 PM) This is what i see when i select all time
But in events - I see this 1/17/18
5:12:47.000 PM and events with _time=2018-01-17 17:12:47
so when filter is selected as 4 hours events are not visible. Kindly help.. its urgent
DATETIME_CONFIG =
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ=UTC
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you show some sample events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
_time=2018-01-17 17:12:47,u_comments="",child_incidents="0",sys_tags="",u_sla="",u_resolved="",work_notes_list="",work_end="",u_approve_reject="",u_priority_type="Downgrade",approval_history="",u_external_reference_id="",rfc="",u_resolved_by="",sla_due="UNKNOWN",u_peer="",u_proposed_critical="false",u_production_server_risk="false",u_business_unit="De Beers Canada"
This is one sample event
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess this is issue with timezone.. its indexing ahead of time and not shown in time filter. How to correct this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey, check your server time. I had faced this kind of issues NTP synchronization at server level would solve your issue
let me know if it helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Should the props.conf be as per server time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope but your files should !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is your data is coming from database?
your eventtime(_time) is ahead of time so you are not getting result when you search for last 4 hrs and getting result when search for all time
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
