When I or one of my users changes the time range in Pivot, the change doesn't take effect. For instance, when we change the filter for time to the last 24 hours on the "New Pivot" screen to "Last 24 hours", Splunk runs the search job then returns a count for all events from 12/31/69 6:00:00.000 PM to now.
This only appears to happen on Pivots we create; when I change the date range the sample Pivots provided with the installation of Splunk 6, they work just fine. My suspicion is that it's a permissions issue, but I'm just not sure. My account has admin privileges, and has permission to read and write on the data model/pivot.
I'm facing the same issue in 6.1.1 today. Splunk is installed on Ubuntu and accessing it from Windows system.
Whatever the value from timerange I select, the chart is loading with complete data on the index.
This issue has been fixed in 6.0.2 🙂
One thing to make sure of is that you should make sure that there are not any time function in your data model, those will over ride the time restrictions you try and add in a Dashboard.
@martin_mueller, I downloaded a fresh version of Splunk 6 and tried to recreate your screenshot (including using the "de-DE" locale). For me, the time range was handled correctly. Do you have any customizations around search time ranges on your system?
That is not a configuration I've tested myself, so this is just speculation, but in that scenario I would guess that accelerated data models would have this issue but non-accelerated models would not.
As far as I know this doesn't cause actual crashes, so that sounds like a separate issue.
So my search head is linux based but 2 of my indexers are windows. Would it happen in this scenario as well?
I've actually gotten a few crash dumps on a distributed indexer thats windows whenever I'm using pivot. would love to know when a fix is available.
I have not opened a ticket, all our production installations at Splunk customers are running 5.x so there's no real-world impact for us yet.
Well the good news is that I figured out what's going wrong and filed an internal issue, but unfortunately I haven't been able to figure out a good workaround for you.
As long as your data model is not accelerated, the time range should work correctly in the search page, dashboards, and the report viewing page.
Do you have an existing support case? If so let me know and I will link it to the internal issue I created.
It appears to just be a Windows issue. I installed Splunk 6 on a Windows 7, 32bit system and I now see the buggy behavior. Working on tracking down the root cause now...
Very interesting. I was using a Linux box to replicate, so I'll give it another try matching your scenario.
Getting colleagues to test this, there may be a pattern emerging. Either the bug is related to running the server on Windows, or to installing over an existing Splunk 5... or both, not enough feedback yet.
Simon, what OS were you using to replicate? I've got three different machines with Windows 7, 64bit, Splunk 6.0, each installed over 5.0.x that show the same buggy behaviour, so I doubt it's due to individual configuration.
There are no times.conf files in .../local. I can create a diag if you like, there's loads of old stuff still flying around in various apps.
Agreed, there is most likely a bug in the pivot interface that's causing this. Hopefully we can track down the root cause so we can provide you with a workaround until we figure out a proper fix from our end.
I'll check that when I'm back in the office tomorrow. It's been installed over a previous 5.0.1 install I've been using for a year, so there may be all kinds of .conf settings I've forgotten about 🙂 No setting should cause this, but maybe we'll find a way to reproduce like this. It has to be caused by some coincidence, in general the feature is working fine for others.
Here's a screenshot of what I see:
I've opened the searches object in the _audit model, and am charting the average of result_count over time for the last 60 minutes. At the top of the page you can see it's actually running over all time, and the timechart is complaining about too many spans - probably it's trying to apply the 60-minute-range buckets of one minute to all time.
This happens regardless of what I do in the pivot interface.
Clicking "open in search" uses the correct time range in the search page.
I have this, too, on a data model I built for my app.
What is the data source for your Data Model? Is the object you're pivoting on Event-based or Transaction-based? And have you accelerated the Data Model?
I can replicate this as well.
Here's one data model config this is happening on:
constraint: index=main sourcetype=Script:ListeningPorts
Attributes:
Inherited: _time,host,source,sourcetype
Auto-extracted: dest_ip,dest_port,foreign_ip
Then I have a few eval expressions like
split_foreign_ip: split(foreign_ip,":")
Nothing spectacular happening here, but this is happening with every accelerated data model I have.
I'm seeing this happening with the sample data models for _internal and _audit. No matter what time range I select, the pivot results are calculated over all time.
@bruceclarke, we haven't been able to reproduce the issue internally yet. If you don't mind providing the info I requested from the original poster, it would help a lot.