Splunk Search

How can I set timechart span=2h count for a day to start plotting from midnight?

melonman
Motivator

Hi,

Could anyone know how to start plotting from midnight when time range is something like earliest=-1d@d latest=@d?
I see some behaviors which I did not expect.

The following query always starts plotting 11PM, not 0AM even I set earliest and latest like this.

earliest=-1d@d latest=@d | timechart span=2h count 
               _time            count
    --------------------------- -----
    2013-07-18 23:00:00.000 JST 11372
    2013-07-19 01:00:00.000 JST 22430
    2013-07-19 03:00:00.000 JST 22420
    2013-07-19 05:00:00.000 JST 22488
    2013-07-19 07:00:00.000 JST 22442
    2013-07-19 09:00:00.000 JST 22301
    2013-07-19 11:00:00.000 JST 22331
    2013-07-19 13:00:00.000 JST 22726
    2013-07-19 15:00:00.000 JST 22779
    2013-07-19 17:00:00.000 JST 22732
    2013-07-19 19:00:00.000 JST 22509
    2013-07-19 21:00:00.000 JST 22501
    2013-07-19 23:00:00.000 JST 11098

if I change span=3h, then the result starts frmo midnight, which I expect.

earliest=-1d@d latest=@d | timechart span=3h count 
               _time            count
    --------------------------- -----
    2013-07-19 00:00:00.000 JST 33802
    2013-07-19 03:00:00.000 JST 33645
    2013-07-19 06:00:00.000 JST 33705
    2013-07-19 09:00:00.000 JST 33399
    2013-07-19 12:00:00.000 JST 33959
    2013-07-19 15:00:00.000 JST 34209
    2013-07-19 18:00:00.000 JST 33811
    2013-07-19 21:00:00.000 JST 33599

Now, if I set span=4h, then the result starts from 9PM

 earliest=-1d@d latest=@d | timechart span=4h count    
               _time            count
    --------------------------- -----
    2013-07-18 21:00:00.000 JST 11372
    2013-07-19 01:00:00.000 JST 44850
    2013-07-19 05:00:00.000 JST 44930
    2013-07-19 09:00:00.000 JST 44632
    2013-07-19 13:00:00.000 JST 45505
    2013-07-19 17:00:00.000 JST 45241
    2013-07-19 21:00:00.000 JST 33599

Thanks,

Tags (2)
1 Solution

grijhwani
Motivator

You seem to have a disparity between timezones on your reporting machine and in the indexes. Looks like the timestamp in your indexing is then being formatted as one hour west when you report on it.

I have just been investigating this in the UK where we are currently in British Summer Time (i.e. UTC+1) and I have the same problem. Generating a report which should produce results between (local) midnight and midnight yesterday produces the right search results, but when charted with a timespan the range boundaries seem to be related to the native system time (i.e. starting at midnight UTC not the current presentation time). It would seem to be a bug.

View solution in original post

0 Karma

grijhwani
Motivator

You seem to have a disparity between timezones on your reporting machine and in the indexes. Looks like the timestamp in your indexing is then being formatted as one hour west when you report on it.

I have just been investigating this in the UK where we are currently in British Summer Time (i.e. UTC+1) and I have the same problem. Generating a report which should produce results between (local) midnight and midnight yesterday produces the right search results, but when charted with a timespan the range boundaries seem to be related to the native system time (i.e. starting at midnight UTC not the current presentation time). It would seem to be a bug.

0 Karma

melonman
Motivator

Thank you for your comment
Now I should ask Splunk Support team

0 Karma

vinaybandaru
Path Finder

Hi Melonman,

Did you receive any news from splunk regarding this ?
I have also the same issue in splunk latest version. When i do timechart span for 2h it always starts from 23:00-01:00;

Thanks in Advance,
Vinay

0 Karma

melonman
Motivator

I indexed a dataset with no timestamp (TZ=local) in a locally installed Splunk, and did the same thing. I guess timezone should match among timestamp in data, Splunk/OS and Browser I am running with. Still timechart behaves the same. Depending on the span, timechart snaps to 00:00 or some offsets. Specifically, with the latest and earliest is set to a day(-1d@d to @d), timechart starts from 0:00 only in case of span=1h,3h,7h,21h. (for a day with span more than a few hours does not seem to have much meaning, but timechart behaves diffetently depending on the combination of span and time range.

0 Karma

linu1988
Champion

http://docs.splunk.com/Documentation/Splunk/5.0.3/Search/Specifytimemodifiersinyoursearch

"More about snap-to-time"

i think because of this property it's rounding off to the nearest time period.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...