Splunk Search

Timechart for a span=2hrs not splitting from 00:00

vinaybandaru
Path Finder

For example in the below search, when I try to perform timechart for span=2hrs, why it always takes from 23:00 of the previous day?
Example:

index="index1"
| timechart span=2hr count as "Total"

_time Total
2019-09-22 23:00 0
2019-09-23 01:00 0
2019-09-23 03:00 36
2019-09-23 05:00 0
2019-09-23 07:00 679
2019-09-23 09:00 782
2019-09-23 11:00 293
2019-09-23 13:00 0
2019-09-23 15:00 0
2019-09-23 17:00 0
2019-09-23 19:00 0
2019-09-23 21:00 0
2019-09-23 23:00 0


In my requirement, I need the span should be from 00:00 and not 23:00. Could you please help?

Thanks!!

wmyersas
Builder

What timezone is Splunk running in?

Are you doign absolute timing (eg -2d@), or relative (eg -48h)?

Sidebar - you want | timechart span=2h count as Total

0 Karma

lichtelwichtel
Engager

I have the same problem, and this started with the switch from summertime for me.
If I search for logs from 00:00 to 24:00 (earliest=-2d@d latest=-1d@d), I correctly get the logs in that timeframe.
When I want to split this time into 2 hour segments with span (either with |bucked span=2h _time or with |timechart span=2h count), the segments start at 23h. This means that my first and last segment only have data from one hour.
How come "span" uses a different time setting than earliest/latest?

My workaround (which needs to change every timechange) is the following:
| eval _time=_time+3600
| bucket span=2h _time
| eval _time=_time-3600
| stats count by _time
Not very elegant, but it works.

0 Karma

vinaybandaru
Path Finder

Hi,
It's running in CET timezone. And user is of GMT-03:00 - Brazil timezone.
I'm selecting for the time period for yesterday where in (09/23/2019 : 00:00:00:000 - 09/24/2019 : 00:00:00:000)

Yes i want to count events between span of 2hours. i.e from 0-2;2-4 etc

Thanks,
Vinay

0 Karma

wmyersas
Builder

Unix epoch time is always UTC - https://en.wikipedia.org/wiki/Unix_time

0 Karma

wmyersas
Builder

Sounds like you're running into timezone boundaries - if the server's running CET (1 hour ahead of UTC), then it is dividing correctly on the odd hours

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Use fixed time intervals like index=blah earliest = -1d@d latest=@d for yesterday or index=blah earliest = @dfor today instead of the preset last 24h

------------
Hope I was able to help you. If so, some karma would be appreciated.

vinaybandaru
Path Finder

I tried but it doesn't work also with both earliest = -1d@d latest=@d / earliest =@d. But it gives the same results.
_time Total
2019-09-22 23:00 0
2019-09-23 01:00 0
2019-09-23 03:00 36
2019-09-23 05:00 0
2019-09-23 07:00 679
2019-09-23 09:00 782
2019-09-23 11:00 293
2019-09-23 13:00 0
2019-09-23 15:00 0
2019-09-23 17:00 0
2019-09-23 19:00 0
2019-09-23 21:00 0
2019-09-23 23:00 0

0 Karma

Anantha123
Communicator

Try using span=2h@h

0 Karma

diogofgm
SplunkTrust
SplunkTrust

span does not work @h

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

vinaybandaru
Path Finder

it works but it gives the same results.
_time Total
2019-09-22 23:00 0
2019-09-23 01:00 0
2019-09-23 03:00 36
2019-09-23 05:00 0
2019-09-23 07:00 679
2019-09-23 09:00 782
2019-09-23 11:00 293
2019-09-23 13:00 0
2019-09-23 15:00 0
2019-09-23 17:00 0
2019-09-23 19:00 0
2019-09-23 21:00 0
2019-09-23 23:00 0

0 Karma

Anantha123
Communicator

Just a thought . Is the timezone for the logs and the system are same ?

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...