My environment:
Splunk Ver : 7.2.3
When I used the bin
command to wrap _time
, I found that value was weird like the below capture.
it only shows the year, month, date.
Apparently, if you set the span to 30 minutes, or if you use minspan, it seems to be happening.
I confirmed this event in 7.1.4 too.
Is this a specification?
Or is it a problem?
It's normal behavior for the UI to display yyyy-mm-dd 00:00:00 (00:29:xy bin'd to 30m) as just yyyy-mm-dd. Same behavior can be observed about not displaying 000 milliseconds, it's trying to simplify the timestamp for you.
It's normal behavior for the UI to display yyyy-mm-dd 00:00:00 (00:29:xy bin'd to 30m) as just yyyy-mm-dd. Same behavior can be observed about not displaying 000 milliseconds, it's trying to simplify the timestamp for you.
So it only happens when you are looking at events that are being interpreted as having happened within 30 minutes after midnight (to you). So retry in an hour and it will look the way that you expect.
Wow, you're right.
I confirmed that All logs that can be summarized at "~00:00:00" had this format.
Thank you for Answer and comment!
What seems odd about this? Its your timestamp, plus a GMT+9 hour offset....
Normally, if you use bin
with _time
, you will see timestamps separated by 30 minutes as below.
_time
2019-03-24 10:00:00
2019-03-24 10:30:00
2019-03-24 11:00:00
...
However, the above capture only shows the year, month, date.
Also, this event does not occur in all events in search range, but only in some events.