topic Re: Timechart bug. in Splunk Search

Timechart bug.

reverse — Thu, 15 Aug 2019 15:16:40 GMT

index="iedss_was_prd" OR index=iedss_mule_prd 
| rex field=source "(?P<logType>[^\\\]+)$" 
| eval raw_len=len(_raw) 
| eval raw_len_mb = raw_len/1024/1024 
| eval raw_len_mb = round(raw_len_mb,2) 
| timechart span=1d useother=false sum(raw_len_mb) as MB by logType limit=0

there is clearly a bug in timechart.
I have around 70 logTypes.
After running the above query across 7 days - in result some logtype column values are ZERO.
If I add |eval logType ="thatlogtype*"
then the result is right.

Thoughts

Re: Timechart bug.

Sukisen1981 — Thu, 15 Aug 2019 15:56:16 GMT

hi @reverse your timechart is correct , and it could be a bug but it is more likely to be an issue with the logType.
You say - 'If I add |eval logType ="thatlogtype*"' it works.
Which means that logType is not being extracted / identified default. Could you please post a sample of your logs and query before the timechart part?

Re: Timechart bug.

reverse — Thu, 15 Aug 2019 16:03:39 GMT

index="myindex"
| rex field=source "(?P<logType>[^\\\]+)$" 
| eval raw_len=len(_raw) 
| eval raw_len_mb = raw_len/1024/1024 
| eval raw_len_mb = round(raw_len_mb,2) 
| timechart span=1d useother=false sum(raw_len_mb) as MB by logType limit=0

Re: Timechart bug.

reverse — Thu, 15 Aug 2019 16:05:05 GMT

logType is getting extracted just fine .. so no issues there .. it is just all values are ZERO.

Re: Timechart bug.

Sukisen1981 — Wed, 30 Sep 2020 01:46:46 GMT

hi @reverse
you are calculating the raw length in gb for 1 event and then rounding it off to 2 decimal places. Most likely your raw_len is something like 0.00xxx or 0.0yyy or even 0.000zzz
remove the eval before timechart and well check the raw_len_mb field values under interesting fields

Re: Timechart bug.

reverse — Thu, 15 Aug 2019 16:38:54 GMT

good catch ..let me try ..

Re: Timechart bug.

reverse — Thu, 15 Aug 2019 16:41:22 GMT

@Sukisen1981 it worked !.. thank you

Re: Timechart bug.

reverse — Thu, 15 Aug 2019 16:44:23 GMT

but now how do i change it to MB for all columns.. ?

| timechart span=1d useother=false sum(raw_len) as KBby logType limit=0
| eval MB = round(KB/1024/1024,2)

Re: Timechart bug.

Sukisen1981 — Thu, 15 Aug 2019 16:45:37 GMT

glad it worked I am converting my comment to an answer, please accept it as it significantly helped resolve your issue.

Re: Timechart bug.

mayurr98 — Thu, 15 Aug 2019 16:46:52 GMT

well its not a bug, all values are zero thats because you are rounding it up to 2, look for raw_len field values and you should see number which is very small (few hundred bytes) and then you are converting it to MB which will be very very small.
If this problem persist, could you please let us know the output of raw_len or you could try increasing the rounding it up to 5,6 maybe?

also try normalizing it :

index="myindex"
 | rex field=source "(?P<logType>[^\\\]+)$" 
 | eval raw_len=len(_raw) 
 | eval raw_len_mb = round(raw_len/1024/1024,5 )
 | timechart span=1d useother=false sum(raw_len_mb) as MB by logType limit=0

let me know if this helps!

Re: Timechart bug.

Sukisen1981 — Thu, 15 Aug 2019 16:49:08 GMT

when you use len of anything it does not show you the length in bytes kb/mb at all....its merely showing you the string / char length of your _raw event..what exactly are you trying to do here?

Re: Timechart bug.

reverse — Thu, 15 Aug 2019 16:52:34 GMT

getting log file sizes to monitor log growth .. and spikes

Re: Timechart bug.

Sukisen1981 — Thu, 15 Aug 2019 16:59:06 GMT

you are getting what I am saying right? the moment you use len(x)...it works like a string length function...

Re: Timechart bug.

reverse — Thu, 15 Aug 2019 17:03:19 GMT

thats fine .. i know it wont be 100% match with log file size .. even 95% match would do...