Reporting

Time range not changing in Pivot interface

wpreston
Motivator

When I or one of my users changes the time range in Pivot, the change doesn't take effect. For instance, when we change the filter for time to the last 24 hours on the "New Pivot" screen to "Last 24 hours", Splunk runs the search job then returns a count for all events from 12/31/69 6:00:00.000 PM to now.

This only appears to happen on Pivots we create; when I change the date range the sample Pivots provided with the installation of Splunk 6, they work just fine. My suspicion is that it's a permissions issue, but I'm just not sure. My account has admin privileges, and has permission to read and write on the data model/pivot.

Tags (2)

splunk_worker
Path Finder

I'm facing the same issue in 6.1.1 today. Splunk is installed on Ubuntu and accessing it from Windows system.

Whatever the value from timerange I select, the chart is loading with complete data on the index.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

This issue has been fixed in 6.0.2 🙂

andrewcg
Path Finder

One thing to make sure of is that you should make sure that there are not any time function in your data model, those will over ride the time restrictions you try and add in a Dashboard.

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

@martin_mueller, I downloaded a fresh version of Splunk 6 and tried to recreate your screenshot (including using the "de-DE" locale). For me, the time range was handled correctly. Do you have any customizations around search time ranges on your system?

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

That is not a configuration I've tested myself, so this is just speculation, but in that scenario I would guess that accelerated data models would have this issue but non-accelerated models would not.

As far as I know this doesn't cause actual crashes, so that sounds like a separate issue.

0 Karma

mjones414
Contributor

So my search head is linux based but 2 of my indexers are windows. Would it happen in this scenario as well?

I've actually gotten a few crash dumps on a distributed indexer thats windows whenever I'm using pivot. would love to know when a fix is available.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I have not opened a ticket, all our production installations at Splunk customers are running 5.x so there's no real-world impact for us yet.

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

Well the good news is that I figured out what's going wrong and filed an internal issue, but unfortunately I haven't been able to figure out a good workaround for you.

As long as your data model is not accelerated, the time range should work correctly in the search page, dashboards, and the report viewing page.

Do you have an existing support case? If so let me know and I will link it to the internal issue I created.

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

It appears to just be a Windows issue. I installed Splunk 6 on a Windows 7, 32bit system and I now see the buggy behavior. Working on tracking down the root cause now...

Simon_Fishel
Splunk Employee
Splunk Employee

Very interesting. I was using a Linux box to replicate, so I'll give it another try matching your scenario.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Getting colleagues to test this, there may be a pattern emerging. Either the bug is related to running the server on Windows, or to installing over an existing Splunk 5... or both, not enough feedback yet.

Simon, what OS were you using to replicate? I've got three different machines with Windows 7, 64bit, Splunk 6.0, each installed over 5.0.x that show the same buggy behaviour, so I doubt it's due to individual configuration.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There are no times.conf files in .../local. I can create a diag if you like, there's loads of old stuff still flying around in various apps.

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

Agreed, there is most likely a bug in the pivot interface that's causing this. Hopefully we can track down the root cause so we can provide you with a workaround until we figure out a proper fix from our end.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'll check that when I'm back in the office tomorrow. It's been installed over a previous 5.0.1 install I've been using for a year, so there may be all kinds of .conf settings I've forgotten about 🙂 No setting should cause this, but maybe we'll find a way to reproduce like this. It has to be caused by some coincidence, in general the feature is working fine for others.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Here's a screenshot of what I see:

alt text

I've opened the searches object in the _audit model, and am charting the average of result_count over time for the last 60 minutes. At the top of the page you can see it's actually running over all time, and the timechart is complaining about too many spans - probably it's trying to apply the 60-minute-range buckets of one minute to all time.

This happens regardless of what I do in the pivot interface.
Clicking "open in search" uses the correct time range in the search page.

0 Karma

helge
Builder

I have this, too, on a data model I built for my app.

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

What is the data source for your Data Model? Is the object you're pivoting on Event-based or Transaction-based? And have you accelerated the Data Model?

0 Karma

mjones414
Contributor

I can replicate this as well.

Here's one data model config this is happening on:

constraint: index=main sourcetype=Script:ListeningPorts

Attributes:
Inherited: _time,host,source,sourcetype
Auto-extracted: dest_ip,dest_port,foreign_ip

Then I have a few eval expressions like
split_foreign_ip: split(foreign_ip,":")

Nothing spectacular happening here, but this is happening with every accelerated data model I have.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'm seeing this happening with the sample data models for _internal and _audit. No matter what time range I select, the pivot results are calculated over all time.

0 Karma

Simon_Fishel
Splunk Employee
Splunk Employee

@bruceclarke, we haven't been able to reproduce the issue internally yet. If you don't mind providing the info I requested from the original poster, it would help a lot.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...