Splunk Search

Timechart visualization does not match statistics

Sukisen1981
Champion

I have a csv with just 2 columns Time & memory. the events look like this, so this is basically a csv extract of a server memory utilization for April 3rd from 12:00 AM - 11:30 PM at an interval of 10 mins.
Time Event
4/3/20 4/3/2020 23:34,98%
11:34:00.000 PM

When i run a very simple query - index="memory"|timechart count
The statistics tab looks ok
alt text

however for some reason the visulaization tab is pushed back and starts from April 2nd
alt text

Of course i thought it to be an issue with the time modifiers and tried tinkering like this
index="memory" |rex field=_raw "(?.*?)\,"|eval time=strptime(time,"%m/%d/%Y %H:%M")|eval _time=time |timechart count
In the rex for 'time' I am extracting it from the event(_raw) and NOT the first CSV columb 'Time'.
BUT the output remains the same, namely the issue is the statistics tab looks absolutely correct but the viz tab gets pushed back .
Any clues?

Tags (1)
0 Karma
1 Solution

Sukisen1981
Champion

Hi @richgalloway and @to4kawa
I am happy to say that the issue is fixed and I want to apologize for wasting your time as well. Now, this is my local version and I am in India (Kolkata,Chennai etc time zone). I noticed that the events were getting pushed back by 5.5 hours in the timechart viz, which means I was getting defaulted to GMT.
So, I did 2 steps
1- I uploaded the CSV fresh, and went for advanced extraction, under the timezone, I set the time zone for India
alt text

2- I am logging in as admin and I changed the admin user's timezone to IST.
alt text

I am sure probably step 2 is all that is needed, but hey am not tinkering anything now. I am sorry once again, I should have specified the time zone gap(that events were getting defaulted to GMT and not IST) in my original post.
I have lingering doubts though, because once I change the _time settings forcefully with an extracted filed and set _time=extracte_time...irrespective of the timezone settings the timehchart viz should work , but maybe I am wrong.
Once again sorry for the bother, it was my mistake. I forgot this was my local and not my customer's splunk instance where timezones are already set up by the admin team 🙂 🙂

View solution in original post

0 Karma

Sukisen1981
Champion

Hi @richgalloway and @to4kawa
I am happy to say that the issue is fixed and I want to apologize for wasting your time as well. Now, this is my local version and I am in India (Kolkata,Chennai etc time zone). I noticed that the events were getting pushed back by 5.5 hours in the timechart viz, which means I was getting defaulted to GMT.
So, I did 2 steps
1- I uploaded the CSV fresh, and went for advanced extraction, under the timezone, I set the time zone for India
alt text

2- I am logging in as admin and I changed the admin user's timezone to IST.
alt text

I am sure probably step 2 is all that is needed, but hey am not tinkering anything now. I am sorry once again, I should have specified the time zone gap(that events were getting defaulted to GMT and not IST) in my original post.
I have lingering doubts though, because once I change the _time settings forcefully with an extracted filed and set _time=extracte_time...irrespective of the timezone settings the timehchart viz should work , but maybe I am wrong.
Once again sorry for the bother, it was my mistake. I forgot this was my local and not my customer's splunk instance where timezones are already set up by the admin team 🙂 🙂

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried changing the time picker from "All time" to the window you expect for the viz?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Sukisen1981
Champion

hi @richgalloway - Strange, when i changed the time picker to last 24 hrs...i got a 'no results found'. I uploaded the CSV today. At any rate why would the time picker be affecting just the visualization and NOT the stats tab?
Is this a bug?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It certainly is strange.
When you uploaded the data is not as relevant as the _time value for the events. That is what Splunk looks at to satisfy the time picker.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Sukisen1981
Champion

hi @to4kawa . I suspected that, but didn't work. below is my settings in props.conf under local for the relevant sourcetype

[mem]
DATETIME_CONFIG = current
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

0 Karma

to4kawa
Ultra Champion

your props.conf is not DATETIME_CONFIG = current
check props.conf

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...