Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Event time is not showing correctly on Dashboard table

mninansplunk
Path Finder
‎11-12-2024 06:32 AM

Hello everyone,

I'm having an issue that I'm trying to understand and fix.  I have a Dashboard table that displays the last 24 hrs of events.  However, the event _time is always showing 11 min past the hour like:

mninansplunk_0-1731421849938.png

 

Which these aren't the correct event times.  When I run the exact same search manually, I get the correct event times.

mninansplunk_1-1731421874118.png

 

Does anyone know why this is occurring and how I can fix it?

Thanks for any help on this one, much appreciated.

Tom

Labels (1)
Labels
0 Karma
Reply

dural_yyz
Motivator
‎11-13-2024 07:02 AM

Your searches are different between DS and manual search.

```WRONG TIME STAMP - MINUTE```

index="netscaler" host=*
| rex field="servicegroupname" "\?(?<Name>[^\?]+)"
| rex field="servicegroupname" "(?<ServiceGroup>[^\?]+)"
| rename "state" AS LastStatus
| eval Component = host."|".servicegroupname
| search Name=*
| eval c_time=strftime(Time,"%m/%d/%y %H:%M:%S")
| streamstats window=1 current=f global=f values(LastStatus) as Status by Component
| where LastStatus!=Status
| eval Time = c_time
| table _time, host, ServiceGroup, Name, Status, LastStatus

```CORRECT TIME STAMPE```

index="netscaler" host=*
| rex field="servicegroupname" "\?(?<Name>[^\?]+)"
| rex field="servicegroupname" "(?<ServiceGroup>[^\?]+)"
| rename "state" AS LastStatus
| eval Component = host."|".servicegroupname
| search Name=*
| streamstats window=1 current=f global=f values(LastStatus) as Status by Component
| where LastStatus!=Status
| table _time, host, ServiceGroup, Name, Status, LastStatus
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-14-2024 02:05 PM
This should mater as _time didn't get value from c_time or Time. Basically those lines are not needed. Unless there is some weird alias in props.conf or something which put e.g. Time in _time field?

You should try to find where in this Dashboard is something which are manipulating _time based on c_time or Time field.
Reply

dural_yyz
Motivator
‎11-15-2024 08:13 AM

Good call on the props, honestly a wild guess is that Month number is somehow inserted as Minute.  Running the dashboard for October would be a good litmus test for that.  But I didn't see anything in the original to make me think that was a real possibility.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...