Splunk Search

-1 value at _time field using timechart

guimilare
Communicator

Hello Splunkers.

I'm having an issue with timechart;

Scenario:
I have a index that contains summarized data.
I want to create a timechart showing the sum of bytes used.
However, in the field _time, I get some dates OK and then I get a -1 value. After that, _time goes back to start of the epoch time:
alt text

At first I imagined that it was related to summarization issues, but the same occurs on the data indexed directly from the ironports.
Have you guys ever seen something like that?

Thanks in advance!

0 Karma
1 Solution

guimilare
Communicator

Hi all.

This issue was caused by the start of Daylight Saving Time in Brazil.
SPLUNK reported this as a bug..

The workaround is to add span=24h to the search.

View solution in original post

0 Karma

guimilare
Communicator

Hi all.

This issue was caused by the start of Daylight Saving Time in Brazil.
SPLUNK reported this as a bug..

The workaround is to add span=24h to the search.

0 Karma

guimilare
Communicator

_time seems to be indexed correctly:

alt text

I guess a few events were wrongly indexed and are causing this issue.
I have to find these bad buys now.

Any hints?

0 Karma

somesoni2
Revered Legend

Do you get any event when you run this?

index=wsa_ironport name_subnet="XXX"  _time<0
0 Karma

guimilare
Communicator

Hi semosoni2,
I get 0 results for the search above...
That's why I'm keep thinking if timechart its not recognizing something...

0 Karma

cmerriman
Super Champion

are you piping right after the timechart command?

0 Karma

sundareshr
Legend

It seems like '_time' is not getting indexed correctly from raw data. Do you see correct time values in the events returned by your base search

index=wsa_ironport name=zyx  | table _time _raw
0 Karma

guimilare
Communicator

_time seems to be indexed correctly.
I guess a few events were wrongly indexed and are causing this issue.
I have to find these bad buys now.

Any hints?

0 Karma

guimilare
Communicator

This is my search:

index=wsa_ironport name_subnet="XXX" | timechart sum(eval(round(bytes_in/1048576,3))) as traffic by name_subnet
0 Karma

cmerriman
Super Champion

ahh alright, that picture looked like there was a pipe in there.

I assume it's ...|timechart span=1d sum(eval...

I'd double check the _raw data to make sure that _time is being indexed correctly.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...