Splunk Search

-1 value at _time field using timechart

guimilare
Communicator

Hello Splunkers.

I'm having an issue with timechart;

Scenario:
I have a index that contains summarized data.
I want to create a timechart showing the sum of bytes used.
However, in the field _time, I get some dates OK and then I get a -1 value. After that, _time goes back to start of the epoch time:
alt text

At first I imagined that it was related to summarization issues, but the same occurs on the data indexed directly from the ironports.
Have you guys ever seen something like that?

Thanks in advance!

0 Karma
1 Solution

guimilare
Communicator

Hi all.

This issue was caused by the start of Daylight Saving Time in Brazil.
SPLUNK reported this as a bug..

The workaround is to add span=24h to the search.

View solution in original post

0 Karma

guimilare
Communicator

Hi all.

This issue was caused by the start of Daylight Saving Time in Brazil.
SPLUNK reported this as a bug..

The workaround is to add span=24h to the search.

0 Karma

guimilare
Communicator

_time seems to be indexed correctly:

alt text

I guess a few events were wrongly indexed and are causing this issue.
I have to find these bad buys now.

Any hints?

0 Karma

somesoni2
Revered Legend

Do you get any event when you run this?

index=wsa_ironport name_subnet="XXX"  _time<0
0 Karma

guimilare
Communicator

Hi semosoni2,
I get 0 results for the search above...
That's why I'm keep thinking if timechart its not recognizing something...

0 Karma

cmerriman
Super Champion

are you piping right after the timechart command?

0 Karma

sundareshr
Legend

It seems like '_time' is not getting indexed correctly from raw data. Do you see correct time values in the events returned by your base search

index=wsa_ironport name=zyx  | table _time _raw
0 Karma

guimilare
Communicator

_time seems to be indexed correctly.
I guess a few events were wrongly indexed and are causing this issue.
I have to find these bad buys now.

Any hints?

0 Karma

guimilare
Communicator

This is my search:

index=wsa_ironport name_subnet="XXX" | timechart sum(eval(round(bytes_in/1048576,3))) as traffic by name_subnet
0 Karma

cmerriman
Super Champion

ahh alright, that picture looked like there was a pipe in there.

I assume it's ...|timechart span=1d sum(eval...

I'd double check the _raw data to make sure that _time is being indexed correctly.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...