Splunk Search

-1 value at _time field using timechart

guimilare
Communicator

Hello Splunkers.

I'm having an issue with timechart;

Scenario:
I have a index that contains summarized data.
I want to create a timechart showing the sum of bytes used.
However, in the field _time, I get some dates OK and then I get a -1 value. After that, _time goes back to start of the epoch time:
alt text

At first I imagined that it was related to summarization issues, but the same occurs on the data indexed directly from the ironports.
Have you guys ever seen something like that?

Thanks in advance!

0 Karma
1 Solution

guimilare
Communicator

Hi all.

This issue was caused by the start of Daylight Saving Time in Brazil.
SPLUNK reported this as a bug..

The workaround is to add span=24h to the search.

View solution in original post

0 Karma

guimilare
Communicator

Hi all.

This issue was caused by the start of Daylight Saving Time in Brazil.
SPLUNK reported this as a bug..

The workaround is to add span=24h to the search.

0 Karma

guimilare
Communicator

_time seems to be indexed correctly:

alt text

I guess a few events were wrongly indexed and are causing this issue.
I have to find these bad buys now.

Any hints?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do you get any event when you run this?

index=wsa_ironport name_subnet="XXX"  _time<0
0 Karma

guimilare
Communicator

Hi semosoni2,
I get 0 results for the search above...
That's why I'm keep thinking if timechart its not recognizing something...

0 Karma

cmerriman
Super Champion

are you piping right after the timechart command?

0 Karma

sundareshr
Legend

It seems like '_time' is not getting indexed correctly from raw data. Do you see correct time values in the events returned by your base search

index=wsa_ironport name=zyx  | table _time _raw
0 Karma

guimilare
Communicator

_time seems to be indexed correctly.
I guess a few events were wrongly indexed and are causing this issue.
I have to find these bad buys now.

Any hints?

0 Karma

guimilare
Communicator

This is my search:

index=wsa_ironport name_subnet="XXX" | timechart sum(eval(round(bytes_in/1048576,3))) as traffic by name_subnet
0 Karma

cmerriman
Super Champion

ahh alright, that picture looked like there was a pipe in there.

I assume it's ...|timechart span=1d sum(eval...

I'd double check the _raw data to make sure that _time is being indexed correctly.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...