Splunk Search

Why is the Time Picker searching by time rather than creation date?

colinmchugo
Explorer

Hi,

When I run a search I am using a time picker and select 24h, 7d, 30 and the search runs for this time. But I pulled in a ton of info today and it seems to be showing it pulled by time rather than creation date which is a field in the data called "Created". How do I get the time picker to search by created date or have a search so I can, for example, search between dates like 1st of Feb to present date based on the creation date field? thanks

Colin

0 Karma

493669
Super Champion
0 Karma

FrankVl
Ultra Champion

To make splunk use a specific timestamp in your event, you need to look at the time related settings in props.conf for that source/sourcetype.
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/propsconf#Timestamp_extraction_configuration

If those timestamps already get extracted into separate fields, you should also be able to search by them, although you might need to transform the string values to a proper timestamp first to allow any calculations/comparison functions to work properly. Have a look at the strptime eval function.

0 Karma

colinmchugo
Explorer

Thanks Frank but this seems very complicated for what i want to achieve and i am probably not explaining myself correctly.

So to recap i pulled in dump of data (10.000 events) and when i go to search this data using the default time from a raw search (non panels/dashboards) it will find the data and it uses the field i want it too search under (created) so i know the search actually works. So if i search for data using the standard search window an select 1.2.2018 to 31.2.2018 i will only get data that was created for this date range.

My issue is when i build a time dropdown box and tell a panel to search off this time picker dropdown box it gives me back all of the data and not just the one i specify.

Maybe its a simple solution ? thanks alot to all.

Colin

0 Karma

colinmchugo
Explorer

When i expand a panel search i see that the time is not the time that is created which is a separate field but it is the time the data was pulled in on which was all yesterday. So not sure why its doing this and not searching the same way when you do a raw search?

0 Karma

FrankVl
Ultra Champion

Unless you provide more details on the exact searches / panel configs you're using, I'm afraid I also don't have an idea what might be causing your issue.

0 Karma

colinmchugo
Explorer

Ok thanks Frank

So a search i run is something like this
sourcetype="i.csv" ID!="#" | dedup ID | table ID,Status,Priority,Subject,Updated,Category,Hostname,Dept,Country,Created,Closed,Username | sort by _ID

This gives me the wrong data where it gives a table and in the _time column its just dates and times where the data was pulled in at not the creation time.

This only occurs when i do the search from a panel when i do a search from the normal search in splunk i get the answer i want to something is not being indexed correctly?

I cant show the data as you might understand but i hope that helps. I am going to try and run the searches again and then add the panels again. Other panels have geolocation based on the office location and then compares to a geolocations.csv and that too is showing all of the data and will not e.g. break down to 24 hours.

0 Karma

colinmchugo
Explorer

Think its an indexing issue Frank, leave it for now thank you sir.

0 Karma

colinmchugo
Explorer

Frank the issue is when we pull in this data we are looking for the last 1000 records updated. Then pulling in that data. THe problem is its using the updated data as the _time column when it should be using the Created column. I dont know how we tell it too look at the Creation Column and set this as the field to search on not the updated column. If you have ideas i would love to hear them. Thanks

0 Karma

FrankVl
Ultra Champion

What method are you using to ingest the data? Sounds a bit like DBConnect?

0 Karma

FrankVl
Ultra Champion

Ok, that's a whole different issue then what I first understood 🙂

Can you give a bit more info on what exactly you configured (e.g. share the dashboard xml)?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...