After the Daylight Savings Time change, why am I n...

nomanalis · ‎03-15-2017

We have some dashboards running searches with timewrap. I have noticed that after the Daylight Savings Time (DST) change on 03/12/2017 night, our searches are giving "0" as a result, whereas I can see the result is something different. I have taken the search and run it in parts and when I reached to the last part where I run the timewrap, the result gets erroneous.

Is there any way to check and fix the time somewhere?

Noman Syed

lguinn2 · ‎03-18-2017

You should not be using timewrap when you want to display a single value result as you show in your comment. So it is correct to remove the timewrap command.

lguinn2 · ‎03-15-2017

What do you see when you look at the underlying data, in a simple search?

Splunk does not do anything about Daylight Savings Time or British Summer Time, etc.
As data arrives in Splunk and is parsed, the timestamps are calculated in UTC and stored with the events in the Splunk index.
The events are displayed in the timezone that the user chooses in their personal settings.

So if something has abruptly changed, I would examine: Did something change on the systems that generate the data? Is there a timezone explicitly specified in the timestamp (that would be nice)? Is the timestamp in the incoming data correct? When the data is parsed, are there any props.conf settings that might change how the timestamp is interpreted?
Here is the documentation for How timestamp assignment works.

nomanalis · ‎03-17-2017

If I remove the TIMEWRAP command from the search, I get the correct result but as soon as I put the TIMEWRAP command back in the search, it produces 0 as a result. Screenshots are attached.

After the Daylight Savings Time change, why am I not getting results using the timewrap command?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM