- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why are we getting an incorrect date in our result...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the job: 0019295 which shows run time on Thu Jan 14 07:00:02:2016 actually ran on Wed Jan 13 07:00:19 2016
Sanpshot attached.
which is the time on the row below this event.
And that's the reason the timechart and the table shows different values.
| rename JobId as "Job ID",JobName as "Job Name"
| streamstats current=f window=2 range(_time) as JobRunTime latest(_time) as EndTime earliest(_time) as StartTime
| table "Job Name", "Job ID", StartTime , EndTime ,JobRunTime
| dedup "Job ID"
| eval StartTime=strftime(StartTime, "%c")
|eval EndTime=strftime(EndTime, "%c")
| eval JobRunTime=tostring(JobRunTime, "duration")
Not Sure why the dates are being changed or incremented by 1
Thanks,
Anil.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sundareshr
@somesoni2 @vasanthmss
Thank you so much for looking into this.
Used sort _time and tried the following query and it works.
sort _time | streamstats current=t window=2 range(_time) as JobRunTime latest(_time) as EndTime earliest(_time) as StartTime | sort -_time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sundareshr
@somesoni2 @vasanthmss
Thank you so much for looking into this.
Used sort _time and tried the following query and it works.
sort _time | streamstats current=t window=2 range(_time) as JobRunTime latest(_time) as EndTime earliest(_time) as StartTime | sort -_time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi athorat
I face the similar issue, in my case the user timezone was the problem.
In Spunk web, click your name and edit your account and save time zone as default system time zone and try.
Thanks,
V
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vasanthmss
I did check those settings earlier. It is set to default system tried playing around the settings but does work.
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is data has time zone on it? If you are using strftime it will convert based on your user settings...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it happening for all data fields on all rows ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 yes for all the rows in the table
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you check your timezone settings?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sundareshr the timezone setting in props.conf? anything specific which you referring.
Both Splunk and Hadoop infra is in the same timezone.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sundareshr
@somesoni2
I have attached the snapshot. For each jobid its correct runtime is a row below.
Job which shows runtime as Jan 14th its run time is Jan 13th
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
