I have a csv with just 2 columns Time & memory. the events look like this, so this is basically a csv extract of a server memory utilization for April 3rd from 12:00 AM - 11:30 PM at an interval of 10 mins.
Time Event
4/3/20 4/3/2020 23:34,98%
11:34:00.000 PM
When i run a very simple query - index="memory"|timechart count
The statistics tab looks ok
however for some reason the visulaization tab is pushed back and starts from April 2nd
Of course i thought it to be an issue with the time modifiers and tried tinkering like this
index="memory" |rex field=_raw "(?.*?)\,"|eval time=strptime(time,"%m/%d/%Y %H:%M")|eval _time=time |timechart count
In the rex for 'time' I am extracting it from the event(_raw) and NOT the first CSV columb 'Time'.
BUT the output remains the same, namely the issue is the statistics tab looks absolutely correct but the viz tab gets pushed back .
Any clues?
Hi @richgalloway and @to4kawa
I am happy to say that the issue is fixed and I want to apologize for wasting your time as well. Now, this is my local version and I am in India (Kolkata,Chennai etc time zone). I noticed that the events were getting pushed back by 5.5 hours in the timechart viz, which means I was getting defaulted to GMT.
So, I did 2 steps
1- I uploaded the CSV fresh, and went for advanced extraction, under the timezone, I set the time zone for India
2- I am logging in as admin and I changed the admin user's timezone to IST.
I am sure probably step 2 is all that is needed, but hey am not tinkering anything now. I am sorry once again, I should have specified the time zone gap(that events were getting defaulted to GMT and not IST) in my original post.
I have lingering doubts though, because once I change the _time settings forcefully with an extracted filed and set _time=extracte_time...irrespective of the timezone settings the timehchart viz should work , but maybe I am wrong.
Once again sorry for the bother, it was my mistake. I forgot this was my local and not my customer's splunk instance where timezones are already set up by the admin team 🙂 🙂
Hi @richgalloway and @to4kawa
I am happy to say that the issue is fixed and I want to apologize for wasting your time as well. Now, this is my local version and I am in India (Kolkata,Chennai etc time zone). I noticed that the events were getting pushed back by 5.5 hours in the timechart viz, which means I was getting defaulted to GMT.
So, I did 2 steps
1- I uploaded the CSV fresh, and went for advanced extraction, under the timezone, I set the time zone for India
2- I am logging in as admin and I changed the admin user's timezone to IST.
I am sure probably step 2 is all that is needed, but hey am not tinkering anything now. I am sorry once again, I should have specified the time zone gap(that events were getting defaulted to GMT and not IST) in my original post.
I have lingering doubts though, because once I change the _time settings forcefully with an extracted filed and set _time=extracte_time...irrespective of the timezone settings the timehchart viz should work , but maybe I am wrong.
Once again sorry for the bother, it was my mistake. I forgot this was my local and not my customer's splunk instance where timezones are already set up by the admin team 🙂 🙂
