Dashboards & Visualizations

After the Daylight Savings Time change, why am I not getting results using the timewrap command?

nomanalis
New Member

We have some dashboards running searches with timewrap. I have noticed that after the Daylight Savings Time (DST) change on 03/12/2017 night, our searches are giving "0" as a result, whereas I can see the result is something different. I have taken the search and run it in parts and when I reached to the last part where I run the timewrap, the result gets erroneous.

Is there any way to check and fix the time somewhere?

Noman Syed

0 Karma

lguinn2
Legend

You should not be using timewrap when you want to display a single value result as you show in your comment. So it is correct to remove the timewrap command.

0 Karma

lguinn2
Legend

What do you see when you look at the underlying data, in a simple search?

Splunk does not do anything about Daylight Savings Time or British Summer Time, etc.
As data arrives in Splunk and is parsed, the timestamps are calculated in UTC and stored with the events in the Splunk index.
The events are displayed in the timezone that the user chooses in their personal settings.

So if something has abruptly changed, I would examine: Did something change on the systems that generate the data? Is there a timezone explicitly specified in the timestamp (that would be nice)? Is the timestamp in the incoming data correct? When the data is parsed, are there any props.conf settings that might change how the timestamp is interpreted?
Here is the documentation for How timestamp assignment works.

0 Karma

nomanalis
New Member

alt text
alt text

If I remove the TIMEWRAP command from the search, I get the correct result but as soon as I put the TIMEWRAP command back in the search, it produces 0 as a result. Screenshots are attached.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...