Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Event time is not showing correctly on Dashboard table

mninansplunk
Path Finder
‎11-12-2024 06:32 AM

Hello everyone,

I'm having an issue that I'm trying to understand and fix.  I have a Dashboard table that displays the last 24 hrs of events.  However, the event _time is always showing 11 min past the hour like:

mninansplunk_0-1731421849938.png

 

Which these aren't the correct event times.  When I run the exact same search manually, I get the correct event times.

mninansplunk_1-1731421874118.png

 

Does anyone know why this is occurring and how I can fix it?

Thanks for any help on this one, much appreciated.

Tom

Labels (1)
Labels
0 Karma
Reply

dural_yyz
Motivator
‎11-13-2024 07:02 AM

Your searches are different between DS and manual search.

```WRONG TIME STAMP - MINUTE```

index="netscaler" host=*
| rex field="servicegroupname" "\?(?<Name>[^\?]+)"
| rex field="servicegroupname" "(?<ServiceGroup>[^\?]+)"
| rename "state" AS LastStatus
| eval Component = host."|".servicegroupname
| search Name=*
| eval c_time=strftime(Time,"%m/%d/%y %H:%M:%S")
| streamstats window=1 current=f global=f values(LastStatus) as Status by Component
| where LastStatus!=Status
| eval Time = c_time
| table _time, host, ServiceGroup, Name, Status, LastStatus

```CORRECT TIME STAMPE```

index="netscaler" host=*
| rex field="servicegroupname" "\?(?<Name>[^\?]+)"
| rex field="servicegroupname" "(?<ServiceGroup>[^\?]+)"
| rename "state" AS LastStatus
| eval Component = host."|".servicegroupname
| search Name=*
| streamstats window=1 current=f global=f values(LastStatus) as Status by Component
| where LastStatus!=Status
| table _time, host, ServiceGroup, Name, Status, LastStatus
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-14-2024 02:05 PM
This should mater as _time didn't get value from c_time or Time. Basically those lines are not needed. Unless there is some weird alias in props.conf or something which put e.g. Time in _time field?

You should try to find where in this Dashboard is something which are manipulating _time based on c_time or Time field.
Reply

dural_yyz
Motivator
‎11-15-2024 08:13 AM

Good call on the props, honestly a wild guess is that Month number is somehow inserted as Minute.  Running the dashboard for October would be a good litmus test for that.  But I didn't see anything in the original to make me think that was a real possibility.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...