I have a csv with just 2 columns Time & memory. the events look like this, so this is basically a csv extract of a server memory utilization for April 3rd from 12:00 AM - 11:30 PM at an interval of 10 mins.
Time Event
4/3/20 4/3/2020 23:34,98%
11:34:00.000 PM
When i run a very simple query - index="memory"|timechart count
The statistics tab looks ok
however for some reason the visulaization tab is pushed back and starts from April 2nd
Of course i thought it to be an issue with the time modifiers and tried tinkering like this
index="memory" |rex field=_raw "(?.*?)\,"|eval time=strptime(time,"%m/%d/%Y %H:%M")|eval _time=time |timechart count
In the rex for 'time' I am extracting it from the event(_raw) and NOT the first CSV columb 'Time'.
BUT the output remains the same, namely the issue is the statistics tab looks absolutely correct but the viz tab gets pushed back .
Any clues?
Hi @richgalloway and @to4kawa
I am happy to say that the issue is fixed and I want to apologize for wasting your time as well. Now, this is my local version and I am in India (Kolkata,Chennai etc time zone). I noticed that the events were getting pushed back by 5.5 hours in the timechart viz, which means I was getting defaulted to GMT.
So, I did 2 steps
1- I uploaded the CSV fresh, and went for advanced extraction, under the timezone, I set the time zone for India
2- I am logging in as admin and I changed the admin user's timezone to IST.
I am sure probably step 2 is all that is needed, but hey am not tinkering anything now. I am sorry once again, I should have specified the time zone gap(that events were getting defaulted to GMT and not IST) in my original post.
I have lingering doubts though, because once I change the _time settings forcefully with an extracted filed and set _time=extracte_time...irrespective of the timezone settings the timehchart viz should work , but maybe I am wrong.
Once again sorry for the bother, it was my mistake. I forgot this was my local and not my customer's splunk instance where timezones are already set up by the admin team 🙂 🙂
Hi @richgalloway and @to4kawa
I am happy to say that the issue is fixed and I want to apologize for wasting your time as well. Now, this is my local version and I am in India (Kolkata,Chennai etc time zone). I noticed that the events were getting pushed back by 5.5 hours in the timechart viz, which means I was getting defaulted to GMT.
So, I did 2 steps
1- I uploaded the CSV fresh, and went for advanced extraction, under the timezone, I set the time zone for India
2- I am logging in as admin and I changed the admin user's timezone to IST.
I am sure probably step 2 is all that is needed, but hey am not tinkering anything now. I am sorry once again, I should have specified the time zone gap(that events were getting defaulted to GMT and not IST) in my original post.
I have lingering doubts though, because once I change the _time settings forcefully with an extracted filed and set _time=extracte_time...irrespective of the timezone settings the timehchart viz should work , but maybe I am wrong.
Once again sorry for the bother, it was my mistake. I forgot this was my local and not my customer's splunk instance where timezones are already set up by the admin team 🙂 🙂
Have you tried changing the time picker from "All time" to the window you expect for the viz?
hi @richgalloway - Strange, when i changed the time picker to last 24 hrs...i got a 'no results found'. I uploaded the CSV today. At any rate why would the time picker be affecting just the visualization and NOT the stats tab?
Is this a bug?
It certainly is strange.
When you uploaded the data is not as relevant as the _time value for the events. That is what Splunk looks at to satisfy the time picker.
hi @to4kawa . I suspected that, but didn't work. below is my settings in props.conf under local for the relevant sourcetype
[mem]
DATETIME_CONFIG = current
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
your props.conf is not DATETIME_CONFIG = current
check props.conf