- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Summary Indexing and TZ
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Summary Indexing and TZ
Hi,
I am getting a raw event stream which is getting TZ per PT Splunk props.conf is looking at TZ as PT and converts to CT (where my search head and indexers are ) - this is working as it should be.
But i am running a simple scheduled reports and pointing output to another Summary index on above Event Stream - now when i go and look in data being populated by Scheduled Search in this new Summary Index it is showing time per PT and not CT...not sure why it is messing it up.
Here is my first line of Raw Event in
4/13/14
6:59:14.000 PM Sun Apr 13 16:59:14 2014 PT : Opened Incident Details
As you can see splunk converted smartly - Sun Apr 13 16:59:14 2014 PT to 4/13/14
6:59:14.000 PM (Central TIme Zone) - and this is perfect.
but when i run scheduled search on above event stream and point data to Summary Index (si_test)
Here is my first line in Summary Index
4/13/14 4:38:13.000 PM
Sun Apr 13 16:38:13 2014 PT : Opened Incident Details Current Status: Open
here not sure why it will recognize ( 4/13/14 4:38:13.000 PM ) , rather it should have preserved the Time stamps as (4/13/14 6:59:14.000 PM)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've found that you do want to include _time in information you are summarizing. Otherwise Splunk will apply the time based off your search.
If I am summarising events I like to table out all of the necessary fields, then perform calculations after the fact. I've found this allows me to run fewer summary searches, and achieve better performance. When doing this you must specify your fields. Allowing _raw to sneak into your summary will cause problems.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But when I try simple below query its taking the current system time instead of _time of event.
index=indexname | collect index=si
I want the events in the summary index to retain the _time as it is in the primary index. But it's storing the current system time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you should not include the time in summary index. It should take automatically from the time which were present in the actual events. As you are including the time fields it's again being adjusted while doing the summary.
Keep only Opened Incident Details Current Status: Open
rather than Sun Apr 13 16:38:13 2014 PT : Opened Incident Details Current Status: Open
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But when I try simple below query its taking the current system time instead of _time of event.
index=indexname | collect index=si
I want the events in the summary index to retain the _time as it is in the primary index. But it's storing the current system time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can try including _time in your base search and then collect it in summary index
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
