Splunk Enterprise 6.5.2
Trying to get 12 hour span reporting Midnight to noon, noon to midnight.
A simplified version of my search is : index=_internal | bin _time span=12h | stats count by _time
For some reason, the intervals are calculating 19:00 to 07:00, 07:00 to 19:00
2018-04-20 07:00 2878932
2018-04-20 19:00 8825546
2018-04-21 07:00 5538945
2018-04-21 19:00 1476846
2018-04-22 07:00 4373903
2018-04-22 19:00 5332040
2018-04-23 07:00 1636378
2018-04-23 19:00 9937520
2018-04-24 07:00 11197284
2018-04-24 19:00 7186629
2018-04-25 07:00 3561015
2018-04-25 19:00 9161603
2018-04-26 07:00 7798990
2018-04-26 19:00 4544852
Is this a "Feature" or a bug
Instead of this:
| bin _time span=12h ...
Try this:
| eval _time = relative_time(_time, "@d") + if((tonumber(strftime(_time, "%H%M")) < 1200), 0, (12 * 60 * 60)) ...
Can you explain how you did this. I am having hard time to understand this calculation.
I manually built what bin
automagically does. The relative_time
call rounds _time
down to the beginning of the current day. The strftime
call calculates HHMM
offset for the current day and if that is < 1200, adds nothing to the rounded-down-to-start-of-day _time
, otherwise adds 12-hours of seconds (12 * 60 *60) to it. Then it drops the microphone.
Put in an earliest flag in the search to snap to the beginning of the day?
Something like earliest=-2d@d
Any chance your events are in a different timezone than your user preference, thus the time value shown for the event is different than the time of the event itself, which is what would be used by bin
?
Events are based on ET -0500.
I am in CT -0600
It does not matter what time of day you run it.
I'm willing to bet your UI is configured to show events in ET. That would explain why a time that you'd expect to be at 12:00 would be displayed on your side as 07:00.
To check this:
Your Name (on the top bar of the page) -> Account Settings
Examine what's shown for Time zone under the Global heading.
Did some research with our SE, Nimish.
When the Time Zone is anything other than "Default System Timezone", you get some calculation of a different time.
when timezone = CT (-0600) span time starts 19:00
when timezone = Chennai (+0530) time starts @ 17:30
When timezone = ET (-0500) time starts @ 20:00
When timezone = Default System Timezone time starts @ 00:00
I have tried added earliest =-7d@d to try to force it to look at full days. Same results.