Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I getting different timewrap results depending on what time of day the search is run?

dougburdan
Explorer
‎11-22-2022 10:05 AM

I have a saved search running every few minutes to append data to a 15 day csv log file within Splunk. 

I'm trying to use a timechart with timewrap to compare yesterday's values between 6am and 8pm, with the same period a week earlier.

If I run the search before 6am, I get exactly what I want - two bell-shaped series on a timechart showing a single day from 6am to 8pm.

However, if I run the exact same search after 6am, I get four series on a timechart spanning two days - on the left of the chart a comparison of two series up until 8pm, then a blank period in the middle of the chart from 8pm to 6am the following day, and then on the right, a comparison of two series from 6am.

 

 

| inputlookup fifteen_day_logfile.csv 
| where (_time>=relative_time(now(),"-8d@d+6h") AND _time<=relative_time(now(),"-8d@d+20h")) OR (_time>=relative_time(now(),"-1d@d+6h") AND _time<=relative_time(now(),"-1d@d+20h"))
| timechart span=5m cont=false sum(Value) as Value
| timewrap 1d

 

 

Basically, I'm stumped as to why timewrap is sometimes ignoring the relative_time statements, depending on what time of day it is run.

Any help would be much appreciated.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-22-2022 10:24 PM

@dougburdan 

  • You are telling the relative_time statement to the where command and not the "timewrap" command.
  • The timewrap command always does chunks based on the timezone it's executing.
    • So if I'm running the search. My timezone preference is +5:30 (Delhi).
    • Then the chunk will be from my12 AM midnight to my 12 midnight.
    • But if I'm scheduling the search with no owner (or Splunk system user as owner), then it will consider based on the timezone defined on the server, and make the chunks accordingly.

 

I hope this helps!!!

0 Karma
Reply

dougburdan
Explorer
‎11-24-2022 08:51 AM

Thanks VatsalJagani, that kind of makes sense.

As a user with no admin rights, I don't think I have access to change the owner that the search runs under, so I've been experimenting with applying my where statement to the timewrap results, but still can't quite get it right . . . 

I can now get the chart to display a single day from 6am to 8pm, but it only displays results from the current time (here in New Zealand) until 8pm. 

So it must be the use of now() in the relative_time command that is tripping me up?

Would you have an example of some code that I could apply to my search to correct the timezone difference?

Thanks for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...