https://community.splunk.com/t5/Splunk-Enterprise/Splunk-query-not-producing-expected-result/m-p/572252#M10451 <P>Below query is producing expected result only sometime, but not working for similar data on some other random days.</P><P><U><STRONG>Query:</STRONG></U></P><P>index=my_summary source=app_response_status report=app_response_status ApiName=metadata<BR />| timechart span=1d sum("200"), sum("404")</P><P><U><STRONG>Working Data:</STRONG></U></P><P>10/24/2021 00:00:00 +0000, search_name=app_response_status, search_now=1635123600.000, info_min_time=1635033600.000, info_max_time=1635120000.000, info_search_time=1635124485.280, 200=7552, 404=7582, ApiName=metadata, info_sid=scheduler__gmrm_VkEtdm1lLXJ0bXMtc2g__RMD50cd89fe00e4c64f8_at_1635123600_39072, RowTotals=15134, info_max_time="1635120000.000", info_min_time="1635033600.000", info_search_time="1635124485.280", report=app_response_status</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-10-25 at 5.18.46 PM.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16569iC61714F7310C0AB5/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2021-10-25 at 5.18.46 PM.png" alt="Screenshot 2021-10-25 at 5.18.46 PM.png" /></span></P><P><U><STRONG>Not Working Data:</STRONG></U></P><P>09/03/2021 00:00:00 +0000, search_name=app_response_status, search_now=1630717200.000, info_min_time=1630627200.000, info_max_time=1630713600.000, info_search_time=1630717575.202, 200=9483, 404=5287, ApiName=metadata, info_sid=scheduler__gmrm_VkEtdm1lLXJ0bXMtc2g__RMD50cd89fe00e4c64f8_at_1630717200_72746, RowTotals=14770, info_max_time="1630713600.000", info_min_time="1630627200.000", info_search_time="1630717575.202", report=app_response_status&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-10-25 at 5.20.17 PM.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16570i10562857B1231D1D/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2021-10-25 at 5.20.17 PM.png" alt="Screenshot 2021-10-25 at 5.20.17 PM.png" /></span></P><P>I am not able to figure out the problem, both data looks same to me, but not sure why it is not working. pls help.</P> Mon, 25 Oct 2021 11:56:58 GMT ravimishrabglr 2021-10-25T11:56:58Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-query-not-producing-expected-result/m-p/572252#M10451 <P>Below query is producing expected result only sometime, but not working for similar data on some other random days.</P><P><U><STRONG>Query:</STRONG></U></P><P>index=my_summary source=app_response_status report=app_response_status ApiName=metadata<BR />| timechart span=1d sum("200"), sum("404")</P><P><U><STRONG>Working Data:</STRONG></U></P><P>10/24/2021 00:00:00 +0000, search_name=app_response_status, search_now=1635123600.000, info_min_time=1635033600.000, info_max_time=1635120000.000, info_search_time=1635124485.280, 200=7552, 404=7582, ApiName=metadata, info_sid=scheduler__gmrm_VkEtdm1lLXJ0bXMtc2g__RMD50cd89fe00e4c64f8_at_1635123600_39072, RowTotals=15134, info_max_time="1635120000.000", info_min_time="1635033600.000", info_search_time="1635124485.280", report=app_response_status</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-10-25 at 5.18.46 PM.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16569iC61714F7310C0AB5/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2021-10-25 at 5.18.46 PM.png" alt="Screenshot 2021-10-25 at 5.18.46 PM.png" /></span></P><P><U><STRONG>Not Working Data:</STRONG></U></P><P>09/03/2021 00:00:00 +0000, search_name=app_response_status, search_now=1630717200.000, info_min_time=1630627200.000, info_max_time=1630713600.000, info_search_time=1630717575.202, 200=9483, 404=5287, ApiName=metadata, info_sid=scheduler__gmrm_VkEtdm1lLXJ0bXMtc2g__RMD50cd89fe00e4c64f8_at_1630717200_72746, RowTotals=14770, info_max_time="1630713600.000", info_min_time="1630627200.000", info_search_time="1630717575.202", report=app_response_status&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-10-25 at 5.20.17 PM.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16570i10562857B1231D1D/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2021-10-25 at 5.20.17 PM.png" alt="Screenshot 2021-10-25 at 5.20.17 PM.png" /></span></P><P>I am not able to figure out the problem, both data looks same to me, but not sure why it is not working. pls help.</P> Mon, 25 Oct 2021 11:56:58 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-query-not-producing-expected-result/m-p/572252#M10451 ravimishrabglr 2021-10-25T11:56:58Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-query-not-producing-expected-result/m-p/572265#M10452 <P>Probably depends on what parsing rules you have for this sourcetype. Try to search for the first event and do</P><LI-CODE lang="markup">| table *</LI-CODE><P>on it. Then do the same with the other one.</P><P>I'm not sure if you're not having some extra spaces before/after commas in one of the events but I can't tell if this breaks your parsing.</P> Mon, 25 Oct 2021 13:04:09 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-query-not-producing-expected-result/m-p/572265#M10452 PickleRick 2021-10-25T13:04:09Z