Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Invalid display for custom time search?

remy06
Contributor
‎09-13-2010 03:50 AM

Hi,

I've tried to do a search based on custom time.

For example,I've chosen from the drop down box > Custom time >
Under earliest time I've selected "09/10/2010 00:00:00.000" and latest time as "09/11/2010 00:00:00.000" which displayed events on friday 10 september.

However under the timeline the date displayed is:
≥ 62,061 events during Thursday, September 9, 2010

Is it a bug in Splunk?

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

maverick
Splunk Employee
Splunk Employee
‎09-13-2010 01:38 PM

Probably not a bug. Typically the Splunk Search GUI will auto-zoom the graphical timeline to display the actual counts of events happening within time range of returned results.

Therefore, if you only have matching events on Sept 9, then that's what the display will show, even if you pick Sept 9 AND Sept 10 as the boundaries of your search.

If you have events you expect to show up on Sept 10, then you may need to check your search syntax to be sure it's not filtering out the other events you expect to see for that day, etc.

Another thing you can check is the Custom Time Picker. After you specify your custom time range and the time picker changes to say "Custom", select it and verify that it shows (at the bottom of the drop-down menu) the start and end days you selected.

Finally, if you do all this and still it seems like the results are not coming back on the other days like you expect, try changing the custom time range to be a relative time (i.e. -7d@d) instead of specific past start and end date and see if that works.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

maverick
Splunk Employee
Splunk Employee
‎09-13-2010 01:38 PM

Probably not a bug. Typically the Splunk Search GUI will auto-zoom the graphical timeline to display the actual counts of events happening within time range of returned results.

Therefore, if you only have matching events on Sept 9, then that's what the display will show, even if you pick Sept 9 AND Sept 10 as the boundaries of your search.

If you have events you expect to show up on Sept 10, then you may need to check your search syntax to be sure it's not filtering out the other events you expect to see for that day, etc.

Another thing you can check is the Custom Time Picker. After you specify your custom time range and the time picker changes to say "Custom", select it and verify that it shows (at the bottom of the drop-down menu) the start and end days you selected.

Finally, if you do all this and still it seems like the results are not coming back on the other days like you expect, try changing the custom time range to be a relative time (i.e. -7d@d) instead of specific past start and end date and see if that works.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...