Splunk Search

Why are we getting an incorrect date in our resulting table?

athorat
Communicator

the job: 0019295 which shows run time on Thu Jan 14 07:00:02:2016 actually ran on Wed Jan 13 07:00:19 2016
Sanpshot attached.
which is the time on the row below this event.

And that's the reason the timechart and the table shows different values.

| rename JobId as "Job ID",JobName as "Job Name"  
| streamstats current=f  window=2 range(_time) as JobRunTime latest(_time) as EndTime earliest(_time) as StartTime  
| table "Job Name", "Job ID", StartTime , EndTime ,JobRunTime
| dedup "Job ID"
| eval StartTime=strftime(StartTime, "%c")
|eval EndTime=strftime(EndTime, "%c")
| eval JobRunTime=tostring(JobRunTime, "duration")

Not Sure why the dates are being changed or incremented by 1

Thanks,
Anil.

0 Karma
1 Solution

athorat
Communicator

@sundareshr
@somesoni2 @vasanthmss
Thank you so much for looking into this.

Used sort _time and tried the following query and it works.

sort _time | streamstats current=t window=2 range(_time) as JobRunTime latest(_time) as EndTime earliest(_time) as StartTime | sort -_time

View solution in original post

0 Karma

athorat
Communicator

@sundareshr
@somesoni2 @vasanthmss
Thank you so much for looking into this.

Used sort _time and tried the following query and it works.

sort _time | streamstats current=t window=2 range(_time) as JobRunTime latest(_time) as EndTime earliest(_time) as StartTime | sort -_time

0 Karma

vasanthmss
Motivator

Hi athorat

I face the similar issue, in my case the user timezone was the problem.

In Spunk web, click your name and edit your account and save time zone as default system time zone and try.

Thanks,
V

V
0 Karma

athorat
Communicator

@vasanthmss

I did check those settings earlier. It is set to default system tried playing around the settings but does work.

Thanks,

0 Karma

vasanthmss
Motivator

Is data has time zone on it? If you are using strftime it will convert based on your user settings...

V
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Is it happening for all data fields on all rows ?

0 Karma

athorat
Communicator

@somesoni2 yes for all the rows in the table

0 Karma

sundareshr
Legend

Did you check your timezone settings?

0 Karma

athorat
Communicator

@sundareshr the timezone setting in props.conf? anything specific which you referring.
Both Splunk and Hadoop infra is in the same timezone.

0 Karma

athorat
Communicator

@sundareshr
@somesoni2

I have attached the snapshot. For each jobid its correct runtime is a row below.
Job which shows runtime as Jan 14th its run time is Jan 13th

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...