latest events which are indexed are not pulled cor...

k_harini · ‎01-17-2018

I have real time events pulled through rest api call. The latest events are present in index but not visible when we select time filter as 4 hours. Events are visible with All time filter.
what could be the issue
(before 1/17/18 12:07:20.000 PM) This is what i see when i select all time

But in events - I see this 1/17/18
5:12:47.000 PM and events with _time=2018-01-17 17:12:47

so when filter is selected as 4 hours events are not visible. Kindly help.. its urgent
DATETIME_CONFIG =
TIME_FORMAT = %Y-%m-%d %H:%M:%S
TZ=UTC

mayurr98 · ‎01-17-2018

can you show some sample events?

k_harini · ‎01-17-2018

_time=2018-01-17 17:12:47,u_comments="",child_incidents="0",sys_tags="",u_sla="",u_resolved="",work_notes_list="",work_end="",u_approve_reject="",u_priority_type="Downgrade",approval_history="",u_external_reference_id="",rfc="",u_resolved_by="",sla_due="UNKNOWN",u_peer="",u_proposed_critical="false",u_production_server_risk="false",u_business_unit="De Beers Canada"

This is one sample event

k_harini · ‎01-17-2018

I guess this is issue with timezone.. its indexing ahead of time and not shown in time filter. How to correct this?

mayurr98 · ‎01-17-2018

hey, check your server time. I had faced this kind of issues NTP synchronization at server level would solve your issue
let me know if it helps!

k_harini · ‎01-17-2018

Should the props.conf be as per server time?

mayurr98 · ‎01-17-2018

Nope but your files should !

493669 · ‎01-17-2018

is your data is coming from database?
your eventtime(_time) is ahead of time so you are not getting result when you search for last 4 hrs and getting result when search for all time

latest events which are indexed are not pulled correctly based on time filter

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor