Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Invalid display for custom time search?

remy06
Contributor
‎09-13-2010 03:50 AM

Hi,

I've tried to do a search based on custom time.

For example,I've chosen from the drop down box > Custom time >
Under earliest time I've selected "09/10/2010 00:00:00.000" and latest time as "09/11/2010 00:00:00.000" which displayed events on friday 10 september.

However under the timeline the date displayed is:
≥ 62,061 events during Thursday, September 9, 2010

Is it a bug in Splunk?

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

maverick
Splunk Employee
Splunk Employee
‎09-13-2010 01:38 PM

Probably not a bug. Typically the Splunk Search GUI will auto-zoom the graphical timeline to display the actual counts of events happening within time range of returned results.

Therefore, if you only have matching events on Sept 9, then that's what the display will show, even if you pick Sept 9 AND Sept 10 as the boundaries of your search.

If you have events you expect to show up on Sept 10, then you may need to check your search syntax to be sure it's not filtering out the other events you expect to see for that day, etc.

Another thing you can check is the Custom Time Picker. After you specify your custom time range and the time picker changes to say "Custom", select it and verify that it shows (at the bottom of the drop-down menu) the start and end days you selected.

Finally, if you do all this and still it seems like the results are not coming back on the other days like you expect, try changing the custom time range to be a relative time (i.e. -7d@d) instead of specific past start and end date and see if that works.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

maverick
Splunk Employee
Splunk Employee
‎09-13-2010 01:38 PM

Probably not a bug. Typically the Splunk Search GUI will auto-zoom the graphical timeline to display the actual counts of events happening within time range of returned results.

Therefore, if you only have matching events on Sept 9, then that's what the display will show, even if you pick Sept 9 AND Sept 10 as the boundaries of your search.

If you have events you expect to show up on Sept 10, then you may need to check your search syntax to be sure it's not filtering out the other events you expect to see for that day, etc.

Another thing you can check is the Custom Time Picker. After you specify your custom time range and the time picker changes to say "Custom", select it and verify that it shows (at the bottom of the drop-down menu) the start and end days you selected.

Finally, if you do all this and still it seems like the results are not coming back on the other days like you expect, try changing the custom time range to be a relative time (i.e. -7d@d) instead of specific past start and end date and see if that works.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...