Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Time range not changing in Pivot interface

wpreston
Motivator
‎10-14-2013 08:09 AM

When I or one of my users changes the time range in Pivot, the change doesn't take effect. For instance, when we change the filter for time to the last 24 hours on the "New Pivot" screen to "Last 24 hours", Splunk runs the search job then returns a count for all events from 12/31/69 6:00:00.000 PM to now.

This only appears to happen on Pivots we create; when I change the date range the sample Pivots provided with the installation of Splunk 6, they work just fine. My suspicion is that it's a permissions issue, but I'm just not sure. My account has admin privileges, and has permission to read and write on the data model/pivot.

Tags (2)
Reply

bruceclarke
Contributor
‎10-24-2013 11:18 AM

Was this resolved? I am running into the same issue with my Pivot data model. It's really frustrating, since it has to re-run the search each time you change something in the Pivot, which takes a few minutes.

0 Karma
Reply

wpreston
Motivator
‎10-18-2013 09:40 AM

Yes, the _time field is included, and time is the first of the filter options on the pivot.

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-17-2013 05:25 PM

Is the _time field included in the list of required fields for your data model?

0 Karma
Reply

wpreston
Motivator
‎10-17-2013 04:14 PM

Sorry for my long response time. Unfortunately this will not be possible, the data and the transforms for it are very sensitive. Thank you for the offer, though!

0 Karma
Reply

Simon_Fishel
Splunk Employee
Splunk Employee
‎10-14-2013 04:47 PM

Interesting, I'm not able to reproduce the issue on my own, either with a sample data model or one I created myself. So it sounds like it's specific either to your data set or the way your data model is configured.

Would you be willing to attach some of your configuration files so I can try out your data model on my system? I think I would need:

  • some sample data
  • props.conf
  • transforms.conf
  • the data model .json file (which should be in <splunk root>/etc/apps/<your app>/local/data/models)
0 Karma
Reply

wpreston
Motivator
‎10-14-2013 12:04 PM

Thanks for your response, here are my answers to your questions:

Data source: It is an application event log for an access control system. This is not one of Splunk’s predefined sourcetypes, I had to define it myself via props.conf and transforms.conf. Splunk does, however, recognize the timestamp in each event.

Event or Transaction based?: These are Event based logs.

Acceleration?: I’ve tried it both ways, and neither appears to help. The Acceleration job does complete successfully.

Here’s an example of the date from one of the events:

31-Dec-2012 23:34:02, Rest, of, event…

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...