Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If you use the "bin" to put together the "_time" field and table it, the displayed value is weird.

yutaka1005
Builder
‎03-24-2019 07:08 PM

My environment:
Splunk Ver : 7.2.3

When I used the bin command to wrap _time, I found that value was weird like the below capture.

it only shows the year, month, date.

alt text

Apparently, if you set the span to 30 minutes, or if you use minspan, it seems to be happening.

I confirmed this event in 7.1.4 too.

Is this a specification?

Or is it a problem?

Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-24-2019 10:45 PM

It's normal behavior for the UI to display yyyy-mm-dd 00:00:00 (00:29:xy bin'd to 30m) as just yyyy-mm-dd. Same behavior can be observed about not displaying 000 milliseconds, it's trying to simplify the timestamp for you.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-24-2019 10:45 PM

It's normal behavior for the UI to display yyyy-mm-dd 00:00:00 (00:29:xy bin'd to 30m) as just yyyy-mm-dd. Same behavior can be observed about not displaying 000 milliseconds, it's trying to simplify the timestamp for you.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-24-2019 10:47 PM

So it only happens when you are looking at events that are being interpreted as having happened within 30 minutes after midnight (to you). So retry in an hour and it will look the way that you expect.

0 Karma
Reply
Solved! Jump to solution

yutaka1005
Builder
‎03-24-2019 11:25 PM

Wow, you're right.

I confirmed that All logs that can be summarized at "~00:00:00" had this format.

Thank you for Answer and comment!

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎03-24-2019 08:50 PM

What seems odd about this? Its your timestamp, plus a GMT+9 hour offset....

0 Karma
Reply
Solved! Jump to solution

yutaka1005
Builder
‎03-24-2019 09:34 PM

Normally, if you use bin with _time, you will see timestamps separated by 30 minutes as below.

_time
2019-03-24 10:00:00
2019-03-24 10:30:00
2019-03-24 11:00:00
...

However, the above capture only shows the year, month, date.
Also, this event does not occur in all events in search range, but only in some events.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...