Reporting

date_* fields are NULL for some data. Why?

the_wolverine
Champion

I have a bunch of events that, for some reason, are coming up with NULL values for date_* fields. Why would this happen? The events all contain the correct date/time -- just missing the date_* fields that I wanted to use for reporting.

sideview
SplunkTrust
SplunkTrust

I think there was a previous question about this but I cant find it.

Somewhat from memory and somewhat from the implications in the link below, the date_* fields are only present when Splunk has extracted the date from the event text itself, and there hasnt been any custom timezone offset or anything applied.

So if you are just using the current time for instance (DATETIME_CONFIG=CURRENT), instead of having Splunk parse it out of the event, or if you are doing some timezone offset in inputs.conf, I think the date_* fields simply dissappear. Which would lead to them showing up in reports as NULL.

http://www.splunk.com/base/Documentation/4.2/User/UseDefaultAndInternalFields

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

And I think this is considered a bug

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...