topic Timechart after sort display in Splunk Search

Timechart after sort display

Hod152 — Tue, 16 Jul 2024 12:17:40 GMT

Hey,
Iv'e noticed some wierd behviour that is making me suspect the relaibility of my queries so I'm really looking for an explanation, I was making some searches and displaying them on a timechart, for some reason the timechart looks completly different when I sort the fields befor.

this is the basic search and it's results:

|tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| timechart sum(count) span=1h

After sorting clientIp field this is how the graph looks like:

|tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| sort -clientIp |timechart sum(count) span=1h

|tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| sort +clientIp |timechart sum(count) span=1h

Note that the count is decreased on the sorted search.

What can explain that behaviour? Which chart should I relay on? Is that a feature of sorting?

Thanks

Re: Timechart after sort display

gcusello — Tue, 16 Jul 2024 12:43:29 GMT

Hi @Hod152,

why you did this?

if you have tstats BY _time, you already have the timechart:

| tstats count WHERE case=test responseCode=200 requestStatus!=legal BY clientIp _time span=1h

Anyway, it's always better to indicate the indexes to use in the search, to have more performant searces and avoid default search path issues.

Ciao.

Giuseppe

Re: Timechart after sort display

ITWhisperer — Tue, 16 Jul 2024 13:03:38 GMT

sort truncates at 10k values - try something like this

| sort 0 -clientip

Re: Timechart after sort display

Hod152 — Wed, 17 Jul 2024 10:32:17 GMT

It just suited my work sequence...

Re: Timechart after sort display

Hod152 — Wed, 17 Jul 2024 11:00:58 GMT

Thanks!