Splunk Search

Invalid display for custom time search?

remy06
Contributor

Hi,

I've tried to do a search based on custom time.

For example,I've chosen from the drop down box > Custom time >
Under earliest time I've selected "09/10/2010 00:00:00.000" and latest time as "09/11/2010 00:00:00.000" which displayed events on friday 10 september.

However under the timeline the date displayed is:
≥ 62,061 events during Thursday, September 9, 2010

Is it a bug in Splunk?

Tags (4)
0 Karma
1 Solution

maverick
Splunk Employee
Splunk Employee

Probably not a bug. Typically the Splunk Search GUI will auto-zoom the graphical timeline to display the actual counts of events happening within time range of returned results.

Therefore, if you only have matching events on Sept 9, then that's what the display will show, even if you pick Sept 9 AND Sept 10 as the boundaries of your search.

If you have events you expect to show up on Sept 10, then you may need to check your search syntax to be sure it's not filtering out the other events you expect to see for that day, etc.

Another thing you can check is the Custom Time Picker. After you specify your custom time range and the time picker changes to say "Custom", select it and verify that it shows (at the bottom of the drop-down menu) the start and end days you selected.

Finally, if you do all this and still it seems like the results are not coming back on the other days like you expect, try changing the custom time range to be a relative time (i.e. -7d@d) instead of specific past start and end date and see if that works.

View solution in original post

0 Karma

maverick
Splunk Employee
Splunk Employee

Probably not a bug. Typically the Splunk Search GUI will auto-zoom the graphical timeline to display the actual counts of events happening within time range of returned results.

Therefore, if you only have matching events on Sept 9, then that's what the display will show, even if you pick Sept 9 AND Sept 10 as the boundaries of your search.

If you have events you expect to show up on Sept 10, then you may need to check your search syntax to be sure it's not filtering out the other events you expect to see for that day, etc.

Another thing you can check is the Custom Time Picker. After you specify your custom time range and the time picker changes to say "Custom", select it and verify that it shows (at the bottom of the drop-down menu) the start and end days you selected.

Finally, if you do all this and still it seems like the results are not coming back on the other days like you expect, try changing the custom time range to be a relative time (i.e. -7d@d) instead of specific past start and end date and see if that works.

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...