Splunk Search

Why are we getting an incorrect date in our resulting table?

Communicator

the job: 0019295 which shows run time on Thu Jan 14 07:00:02:2016 actually ran on Wed Jan 13 07:00:19 2016
Sanpshot attached.
which is the time on the row below this event.

And that's the reason the timechart and the table shows different values.

| rename JobId as "Job ID",JobName as "Job Name"  
| streamstats current=f  window=2 range(_time) as JobRunTime latest(_time) as EndTime earliest(_time) as StartTime  
| table "Job Name", "Job ID", StartTime , EndTime ,JobRunTime
| dedup "Job ID"
| eval StartTime=strftime(StartTime, "%c")
|eval EndTime=strftime(EndTime, "%c")
| eval JobRunTime=tostring(JobRunTime, "duration")

Not Sure why the dates are being changed or incremented by 1

Thanks,
Anil.

0 Karma
1 Solution

Communicator

@sundareshr
@somesoni2 @vasanthmss
Thank you so much for looking into this.

Used sort _time and tried the following query and it works.

sort _time | streamstats current=t window=2 range(_time) as JobRunTime latest(_time) as EndTime earliest(_time) as StartTime | sort -_time

View solution in original post

0 Karma

Communicator

@sundareshr
@somesoni2 @vasanthmss
Thank you so much for looking into this.

Used sort _time and tried the following query and it works.

sort _time | streamstats current=t window=2 range(_time) as JobRunTime latest(_time) as EndTime earliest(_time) as StartTime | sort -_time

View solution in original post

0 Karma

Motivator

Hi athorat

I face the similar issue, in my case the user timezone was the problem.

In Spunk web, click your name and edit your account and save time zone as default system time zone and try.

Thanks,
V

0 Karma

Communicator

@vasanthmss

I did check those settings earlier. It is set to default system tried playing around the settings but does work.

Thanks,

0 Karma

Motivator

Is data has time zone on it? If you are using strftime it will convert based on your user settings...

0 Karma

SplunkTrust
SplunkTrust

Is it happening for all data fields on all rows ?

0 Karma

Communicator

@somesoni2 yes for all the rows in the table

0 Karma

Legend

Did you check your timezone settings?

0 Karma

Communicator

@sundareshr the timezone setting in props.conf? anything specific which you referring.
Both Splunk and Hadoop infra is in the same timezone.

0 Karma

Communicator

@sundareshr
@somesoni2

I have attached the snapshot. For each jobid its correct runtime is a row below.
Job which shows runtime as Jan 14th its run time is Jan 13th

0 Karma