topic Re: timechart function not working as expected in Splunk Search

timechart function not working as expected

riyastk — Fri, 12 Jul 2024 22:36:47 GMT

I have this query which is working well in Splunk8 whereas I am getting timechart with wrong values in Splunk9. Is there any chage in timchart or case function that may cause this query not to work perfectly?

index=my_index sourcetype=jetty_access_log host="apiserver--*" url="/serveapi*" | eval status_summary=case(status<200, "Invalid",status<300, "2xx", status<400, "3xx",status <500, "4xx",status<600, "5xx",True(),"Invalid") | timechart span=5m count(eval(status_summary="2xx")) as count_http2xx, count(eval(status_summary="3xx")) as count_http3xx, count(eval(status_summary="4xx")) as count_http4xx, count(eval(status_summary="5xx")) as count_http5xx, count(eval(status_summary="Invalid")) as count_httpunk

This screenshot below shows the correct result (Splunk 😎

This screenshot shows the incorrect result ( Splunk 9)

Re: timechart function not working as expected

gcusello — Fri, 12 Jul 2024 06:31:08 GMT

Ciao @riyastk ,

I am not aware that there have been any changes in the functioning of the timechart function; are you really sure that the data in the first case are the same as in the second?
what happens if you launch the search before the timechart and count the occurrences by sight?

In particular, check the values that are indicated in your search as "Invalid".
Then, since you use the eval command, why don't you use the results of this command instead of the "<2xx" condition?
otherwise this command is useless.

Ciao.

Giuseppe

Re: timechart function not working as expected

riyastk — Fri, 12 Jul 2024 12:51:40 GMT

Hi @gcusello thanks for the reply. I checked the events for the "Invalid" matches (the default value in the case block) and I can see there is no "status" field being extracted for those events. So it's evident why those are marked as "Invalid". So the issue must be with the sourcetype, I guess.

Sorry if I didn't mention that the data sets are not the same. I just want to show that the later screenshot has matches for count_httpunk and the first one doesn't have.

Re: timechart function not working as expected

gcusello — Fri, 12 Jul 2024 13:09:01 GMT

Hi @riyastk ,

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: timechart function not working as expected

ITWhisperer — Fri, 12 Jul 2024 13:25:25 GMT

What happens if you try this

| timechart span=5m count by status_summary usenull=f useother=f

Re: timechart function not working as expected

PickleRick — Fri, 12 Jul 2024 17:53:50 GMT

You're running it on different sets of data, right? So how are we supposed to know what and why is the correct result?

Anyway, you're overthinking it. Replace the elaborate evals in your timechart with

| timechart span=5m  count by status_summary

Oh, and please post searches in either code block or preformatted style. Makes them much more readable.