When I or one of my users changes the time range in Pivot, the change doesn't take effect. For instance, when we change the filter for time to the last 24 hours on the "New Pivot" screen to "Last 24 hours", Splunk runs the search job then returns a count for all events from 12/31/69 6:00:00.000 PM to now.
This only appears to happen on Pivots we create; when I change the date range the sample Pivots provided with the installation of Splunk 6, they work just fine. My suspicion is that it's a permissions issue, but I'm just not sure. My account has admin privileges, and has permission to read and write on the data model/pivot.
Was this resolved? I am running into the same issue with my Pivot data model. It's really frustrating, since it has to re-run the search each time you change something in the Pivot, which takes a few minutes.
Interesting, I'm not able to reproduce the issue on my own, either with a sample data model or one I created myself. So it sounds like it's specific either to your data set or the way your data model is configured.
Would you be willing to attach some of your configuration files so I can try out your data model on my system? I think I would need:
Thanks for your response, here are my answers to your questions:
Data source: It is an application event log for an access control system. This is not one of Splunk’s predefined sourcetypes, I had to define it myself via props.conf and transforms.conf. Splunk does, however, recognize the timestamp in each event.
Event or Transaction based?: These are Event based logs.
Acceleration?: I’ve tried it both ways, and neither appears to help. The Acceleration job does complete successfully.
Here’s an example of the date from one of the events:
31-Dec-2012 23:34:02, Rest, of, event…