Our servers are in CST timezone. In Splunk UI, we have set the timezone as EST (users are at this zone).
Splunk Version 6.2.0
We are collecting last week stats, so our search is something like this:
earliest=-1w@w latest=-0w@w index=abc .... | timechart span=1w count as "Total",count(eval(status=401)) as "Failures"
Output:
_time Total Failures
23-Aug-15 43689 199
This works fine in the GUI.
However, we wanted to automate this as an email report and we received different values.
Reason, the schedule report runs in server timezone (CST).
We tried implementing the workaround as mentioned in http://answers.splunk.com/answers/170285/one-dashboard-with-multiple-timezones.html or ("One dashboard with multiple timezones")
earliest=-1w@w-h latest=-0w@w-h index=abc .... | eval _time=_time+3600 | timechart span=1w count as "Total",count(eval(status=401)) as "Failures"
This gives output:
_time Total Failures
22-Aug-15 38878 188
29-Aug-15 4811 11
Why does Splunk produce output like this for span=1w ? Is this a bug?
Also tried span=7d , still no luck.
I know that total of this gives the required output.
However, when we extend this query for last 4 weeks data with span=1w, we get incorrect numbers.
So adding total doesn't help.
Any workaround for this would be appreciated.
... View more