Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I getting different timewrap results depending on what time of day the search is run?

dougburdan
Explorer
‎11-22-2022 10:05 AM

I have a saved search running every few minutes to append data to a 15 day csv log file within Splunk. 

I'm trying to use a timechart with timewrap to compare yesterday's values between 6am and 8pm, with the same period a week earlier.

If I run the search before 6am, I get exactly what I want - two bell-shaped series on a timechart showing a single day from 6am to 8pm.

However, if I run the exact same search after 6am, I get four series on a timechart spanning two days - on the left of the chart a comparison of two series up until 8pm, then a blank period in the middle of the chart from 8pm to 6am the following day, and then on the right, a comparison of two series from 6am.

 

 

| inputlookup fifteen_day_logfile.csv 
| where (_time>=relative_time(now(),"-8d@d+6h") AND _time<=relative_time(now(),"-8d@d+20h")) OR (_time>=relative_time(now(),"-1d@d+6h") AND _time<=relative_time(now(),"-1d@d+20h"))
| timechart span=5m cont=false sum(Value) as Value
| timewrap 1d

 

 

Basically, I'm stumped as to why timewrap is sometimes ignoring the relative_time statements, depending on what time of day it is run.

Any help would be much appreciated.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎11-22-2022 10:24 PM

@dougburdan 

  • You are telling the relative_time statement to the where command and not the "timewrap" command.
  • The timewrap command always does chunks based on the timezone it's executing.
    • So if I'm running the search. My timezone preference is +5:30 (Delhi).
    • Then the chunk will be from my12 AM midnight to my 12 midnight.
    • But if I'm scheduling the search with no owner (or Splunk system user as owner), then it will consider based on the timezone defined on the server, and make the chunks accordingly.

 

I hope this helps!!!

0 Karma
Reply

dougburdan
Explorer
‎11-24-2022 08:51 AM

Thanks VatsalJagani, that kind of makes sense.

As a user with no admin rights, I don't think I have access to change the owner that the search runs under, so I've been experimenting with applying my where statement to the timewrap results, but still can't quite get it right . . . 

I can now get the chart to display a single day from 6am to 8pm, but it only displays results from the current time (here in New Zealand) until 8pm. 

So it must be the use of now() in the relative_time command that is tripping me up?

Would you have an example of some code that I could apply to my search to correct the timezone difference?

Thanks for your help!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...