Reporting

Time range not changing in Pivot interface

Motivator

When I or one of my users changes the time range in Pivot, the change doesn't take effect. For instance, when we change the filter for time to the last 24 hours on the "New Pivot" screen to "Last 24 hours", Splunk runs the search job then returns a count for all events from 12/31/69 6:00:00.000 PM to now.

This only appears to happen on Pivots we create; when I change the date range the sample Pivots provided with the installation of Splunk 6, they work just fine. My suspicion is that it's a permissions issue, but I'm just not sure. My account has admin privileges, and has permission to read and write on the data model/pivot.

Tags (2)

Contributor

Was this resolved? I am running into the same issue with my Pivot data model. It's really frustrating, since it has to re-run the search each time you change something in the Pivot, which takes a few minutes.

0 Karma

Motivator

Yes, the _time field is included, and time is the first of the filter options on the pivot.

0 Karma

Splunk Employee
Splunk Employee

Is the _time field included in the list of required fields for your data model?

0 Karma

Motivator

Sorry for my long response time. Unfortunately this will not be possible, the data and the transforms for it are very sensitive. Thank you for the offer, though!

0 Karma

Splunk Employee
Splunk Employee

Interesting, I'm not able to reproduce the issue on my own, either with a sample data model or one I created myself. So it sounds like it's specific either to your data set or the way your data model is configured.

Would you be willing to attach some of your configuration files so I can try out your data model on my system? I think I would need:

  • some sample data
  • props.conf
  • transforms.conf
  • the data model .json file (which should be in <splunk root>/etc/apps/<your app>/local/data/models)
0 Karma

Motivator

Thanks for your response, here are my answers to your questions:

Data source: It is an application event log for an access control system. This is not one of Splunk’s predefined sourcetypes, I had to define it myself via props.conf and transforms.conf. Splunk does, however, recognize the timestamp in each event.

Event or Transaction based?: These are Event based logs.

Acceleration?: I’ve tried it both ways, and neither appears to help. The Acceleration job does complete successfully.

Here’s an example of the date from one of the events:

31-Dec-2012 23:34:02, Rest, of, event…

0 Karma