Hello Splunkers.
I'm having an issue with timechart;
Scenario:
I have a index that contains summarized data.
I want to create a timechart showing the sum of bytes used.
However, in the field _time, I get some dates OK and then I get a -1 value. After that, _time goes back to start of the epoch time:
At first I imagined that it was related to summarization issues, but the same occurs on the data indexed directly from the ironports.
Have you guys ever seen something like that?
Thanks in advance!
Hi all.
This issue was caused by the start of Daylight Saving Time in Brazil.
SPLUNK reported this as a bug..
The workaround is to add span=24h
to the search.
Hi all.
This issue was caused by the start of Daylight Saving Time in Brazil.
SPLUNK reported this as a bug..
The workaround is to add span=24h
to the search.
Do you get any event when you run this?
index=wsa_ironport name_subnet="XXX" _time<0
Hi semosoni2,
I get 0 results for the search above...
That's why I'm keep thinking if timechart its not recognizing something...
are you piping right after the timechart
command?
It seems like '_time' is not getting indexed correctly from raw data. Do you see correct time values in the events returned by your base search
index=wsa_ironport name=zyx | table _time _raw
_time seems to be indexed correctly.
I guess a few events were wrongly indexed and are causing this issue.
I have to find these bad buys now.
Any hints?
This is my search:
index=wsa_ironport name_subnet="XXX" | timechart sum(eval(round(bytes_in/1048576,3))) as traffic by name_subnet
ahh alright, that picture looked like there was a pipe in there.
I assume it's ...|timechart span=1d sum(eval...
I'd double check the _raw data to make sure that _time is being indexed correctly.