Splunk Search

Summary Indexing and TZ

nikhilmehra79
Path Finder

Hi,

I am getting a raw event stream which is getting TZ per PT Splunk props.conf is looking at TZ as PT and converts to CT (where my search head and indexers are ) - this is working as it should be.

But i am running a simple scheduled reports and pointing output to another Summary index on above Event Stream - now when i go and look in data being populated by Scheduled Search in this new Summary Index it is showing time per PT and not CT...not sure why it is messing it up.

Here is my first line of Raw Event in
4/13/14
6:59:14.000 PM Sun Apr 13 16:59:14 2014 PT : Opened Incident Details

As you can see splunk converted smartly - Sun Apr 13 16:59:14 2014 PT to 4/13/14
6:59:14.000 PM (Central TIme Zone) - and this is perfect.

but when i run scheduled search on above event stream and point data to Summary Index (si_test)
Here is my first line in Summary Index
4/13/14 4:38:13.000 PM

Sun Apr 13 16:38:13 2014 PT : Opened Incident Details Current Status: Open

here not sure why it will recognize ( 4/13/14 4:38:13.000 PM ) , rather it should have preserved the Time stamps as (4/13/14 6:59:14.000 PM)

0 Karma

ecambra_splunk
Splunk Employee
Splunk Employee

I've found that you do want to include _time in information you are summarizing. Otherwise Splunk will apply the time based off your search.

If I am summarising events I like to table out all of the necessary fields, then perform calculations after the fact. I've found this allows me to run fewer summary searches, and achieve better performance. When doing this you must specify your fields. Allowing _raw to sneak into your summary will cause problems.

0 Karma

AnilPujar
Path Finder

But when I try simple below query its taking the current system time instead of _time of event.

index=indexname | collect index=si

I want the events in the summary index to retain the _time as it is in the primary index. But it's storing the current system time.

0 Karma

linu1988
Champion

you should not include the time in summary index. It should take automatically from the time which were present in the actual events. As you are including the time fields it's again being adjusted while doing the summary.

Keep only Opened Incident Details Current Status: Open

rather than Sun Apr 13 16:38:13 2014 PT : Opened Incident Details Current Status: Open

0 Karma

AnilPujar
Path Finder

But when I try simple below query its taking the current system time instead of _time of event.

index=indexname | collect index=si

I want the events in the summary index to retain the _time as it is in the primary index. But it's storing the current system time.

0 Karma

nikita_p
Contributor

Hi,
You can try including _time in your base search and then collect it in summary index

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...