Timechart for a span=2hrs not splitting from 00:00

vinaybandaru · ‎09-23-2019

For example in the below search, when I try to perform timechart for span=2hrs, why it always takes from 23:00 of the previous day?
Example:

index="index1"
| timechart span=2hr count as "Total"

_time Total
2019-09-22 23:00 0
2019-09-23 01:00 0
2019-09-23 03:00 36
2019-09-23 05:00 0
2019-09-23 07:00 679
2019-09-23 09:00 782
2019-09-23 11:00 293
2019-09-23 13:00 0
2019-09-23 15:00 0
2019-09-23 17:00 0
2019-09-23 19:00 0
2019-09-23 21:00 0
2019-09-23 23:00 0

In my requirement, I need the span should be from 00:00 and not 23:00. Could you please help?

Thanks!!

wmyersas · ‎09-23-2019

What timezone is Splunk running in?

Are you doign absolute timing (eg -2d@), or relative (eg -48h)?

Sidebar - you want | timechart span=2h count as Total

lichtelwichtel · ‎11-13-2019

I have the same problem, and this started with the switch from summertime for me.
If I search for logs from 00:00 to 24:00 (earliest=-2d@d latest=-1d@d), I correctly get the logs in that timeframe.
When I want to split this time into 2 hour segments with span (either with |bucked span=2h _time or with |timechart span=2h count), the segments start at 23h. This means that my first and last segment only have data from one hour.
How come "span" uses a different time setting than earliest/latest?

My workaround (which needs to change every timechange) is the following:
| eval _time=_time+3600
| bucket span=2h _time
| eval _time=_time-3600
| stats count by _time
Not very elegant, but it works.

vinaybandaru · ‎09-24-2019

Hi,
It's running in CET timezone. And user is of GMT-03:00 - Brazil timezone.
I'm selecting for the time period for yesterday where in (09/23/2019 : 00:00:00:000 - 09/24/2019 : 00:00:00:000)

Yes i want to count events between span of 2hours. i.e from 0-2;2-4 etc

Thanks,
Vinay

wmyersas · ‎09-24-2019

Unix epoch time is always UTC - https://en.wikipedia.org/wiki/Unix_time

wmyersas · ‎09-24-2019

Sounds like you're running into timezone boundaries - if the server's running CET (1 hour ahead of UTC), then it is dividing correctly on the odd hours

diogofgm · ‎09-23-2019

Use fixed time intervals like index=blah earliest = -1d@d latest=@d for yesterday or index=blah earliest = @dfor today instead of the preset last 24h

------------
Hope I was able to help you. If so, some karma would be appreciated.

vinaybandaru · ‎09-24-2019

I tried but it doesn't work also with both earliest = -1d@d latest=@d / earliest =@d. But it gives the same results.
_time Total
2019-09-22 23:00 0
2019-09-23 01:00 0
2019-09-23 03:00 36
2019-09-23 05:00 0
2019-09-23 07:00 679
2019-09-23 09:00 782
2019-09-23 11:00 293
2019-09-23 13:00 0
2019-09-23 15:00 0
2019-09-23 17:00 0
2019-09-23 19:00 0
2019-09-23 21:00 0
2019-09-23 23:00 0

Anantha123 · ‎09-23-2019

Try using span=2h@h

diogofgm · ‎09-23-2019

span does not work @h

------------
Hope I was able to help you. If so, some karma would be appreciated.

vinaybandaru · ‎09-24-2019

it works but it gives the same results.
_time Total
2019-09-22 23:00 0
2019-09-23 01:00 0
2019-09-23 03:00 36
2019-09-23 05:00 0
2019-09-23 07:00 679
2019-09-23 09:00 782
2019-09-23 11:00 293
2019-09-23 13:00 0
2019-09-23 15:00 0
2019-09-23 17:00 0
2019-09-23 19:00 0
2019-09-23 21:00 0
2019-09-23 23:00 0

Anantha123 · ‎09-24-2019

Just a thought . Is the timezone for the logs and the system are same ?

Timechart for a span=2hrs not splitting from 00:00

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor