I have a splunk query that retrieves one hour worth of data for one day of the week over four weeks. This week's time change from daylight saving to standard time has caused expected results from the timewrap command. The time offset from previous weeks is -0500 and this week is -0600. After running the timewrap command, the time for the previous weeks is one hour behind the current. The first thing I find this odd is the time is one hour behind current. It should be the other way around. The second thing is it different at all, since I am only querying for one hour.
Search:
host=hosta earliest=-4w@w latest=@m date_wday=monday date_hour=11 | bucket _time span=1m | stats count as total by _time | timewrap w
Results before time change:
_time, total_latest_week, total_1week_before, total_2weeks_before, total_3weeks_before, total_4weeks_before
2015-11-02 11:00:00,1009,1024,1003,784,1032
Now that we changed to standard time (-0600) from daylight savings (-0500), the results show:
_time, total_latest_week, total_1week_before, total_2weeks_before, total_3weeks_before, total_4weeks_before
2015-11-02 10:00:00,,1024,1003,784,1032
...
2015-11-02 11:00:00,1009,,,,
...
↧