Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Summary index bug, timestamps set "2020-12-09" as "2020-09-12"

LucLu
Loves-to-Learn Lots
‎01-24-2021 10:01 PM

We meet on question is , when the u_worked_date is “2020-12-09”, some of them timestamps is “2020-12-09”, others is “2020-09-12”,I do not know what cause this, Other dates in December can be set as timestamps normally. So I think it maybe a bug of summary index.

 

Bellow is my SPL

 

index=idx_snow_task_time sourcetype=snow_task_time

| dedup sys_id

| table sys_id u_worked_date time_worked rate_type sys_updated_by task u_task_category u_actual_time user

| eval _time=strptime(u_worked_date,"%Y-%m-%d")

| collect index=idx_summary_snow_task_time_by_worked_date source="Snow Task Time by Worked Date"

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-25-2021 01:47 AM

Hi @LucLu,

I see that you define _time in your scheduled search but you don't use it in the table command, please, try in this way:

index=idx_snow_task_time sourcetype=snow_task_time
| dedup sys_id
| eval _time=strptime(u_worked_date,"%Y-%m-%d")
| table _time sys_id u_worked_date time_worked rate_type sys_updated_by task u_task_category u_actual_time user
| collect index=idx_summary_snow_task_time_by_worked_date source="Snow Task Time by Worked Date"

In this way, you're sure that in the summary index you have the correct _time.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-24-2021 11:46 PM

Hi @LucLu,

can you share some sample of your data?

Ciao.

Giuseppe

0 Karma
Reply

LucLu
Loves-to-Learn Lots
‎01-24-2021 11:55 PM

this is the SPL data:

LucLu_1-1611561221188.png

and this is data from summary index:

LucLu_2-1611561279519.png

you can see that only head 10 _time = u_worked_date

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-25-2021 12:08 AM

Hi @LucLu,

could you share a sample of the row data? at least one or two samples of the wrong data and one or two samples of the correct data.

Ciao.

Giuseppe

0 Karma
Reply

LucLu
Loves-to-Learn Lots
‎01-25-2021 12:12 AM

wrong raw data:

LucLu_0-1611562305947.png

 

correct raw data:

LucLu_1-1611562328140.png

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-25-2021 12:49 AM

Hi @LucLu,

to avoid that Splunk makes an error in timestamp reading, configure

[your_sourcetype]
TIME_FORMAT = %m/%d/%Y %H:%M:%S %z

in yous props.conf for that sourcetype.

Ciao.

Giuseppe

0 Karma
Reply

LucLu
Loves-to-Learn Lots
‎01-25-2021 01:05 AM

oh ,thanks @gcusello 

this is an summary index , do not have sourcetype,  do you mean set the default sourcetype stash's time_format? if I change this , will it affect all of the summary index?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-25-2021 01:23 AM

Hi @LucLu,

The problem, probably isn't in the scheduled search to populate the summary index, check if in the indexed data (not in summary) the timestamp in those events is correctly read.

if not, the only way is to use the TIME_FORMAT option in props (I usually set everytime this parameter!). 

Ciao.

Giuseppe

0 Karma
Reply

LucLu
Loves-to-Learn Lots
‎01-25-2021 01:27 AM

@gcusello 

when I run the scheduled search the date is correct, just in summary index have some problem.

I set the TIME_FORMART , but the problem have not resolved. 😭

 

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...