topic Why is my timechart search producing some events with no _time values and other field values are displaced in the resulting table? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-producing-some-events-with-no-time/m-p/194165#M55934 <P>Hi, </P> <P>I have this search:</P> <PRE><CODE>host="myhost.com" NOT source=*access_log* AND "SearchA" | timechart span=1d dc(App) as NotAssigned | eval NotAssigned=NotAssigned+0 | appendcols [search SearchB | timechart span=1d sum(Count) as Assigned ] | eval Time=strftime(_time, "%d-%m") |table Time, Assigned, NotAssigned </CODE></PRE> <P>This seems to work ok, but sometimes one of those variables is shown with no time for some events, and I don't know why. </P> <P>This is the case:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/604i3A5D60E650E21864/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>When I made the searches individually, this was displayed correctly. But in some moments, it looks like there are some _time values missing.<BR /> Like in the attached image, today is 26-08, but the table is showing until 25-08, and one of the variables was displaced a couple of days. </P> <P>Do you know how to fix it? ... </P> Wed, 26 Aug 2015 16:00:24 GMT msalaverry 2015-08-26T16:00:24Z Why is my timechart search producing some events with no _time values and other field values are displaced in the resulting table? https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-producing-some-events-with-no-time/m-p/194165#M55934 <P>Hi, </P> <P>I have this search:</P> <PRE><CODE>host="myhost.com" NOT source=*access_log* AND "SearchA" | timechart span=1d dc(App) as NotAssigned | eval NotAssigned=NotAssigned+0 | appendcols [search SearchB | timechart span=1d sum(Count) as Assigned ] | eval Time=strftime(_time, "%d-%m") |table Time, Assigned, NotAssigned </CODE></PRE> <P>This seems to work ok, but sometimes one of those variables is shown with no time for some events, and I don't know why. </P> <P>This is the case:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/604i3A5D60E650E21864/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>When I made the searches individually, this was displayed correctly. But in some moments, it looks like there are some _time values missing.<BR /> Like in the attached image, today is 26-08, but the table is showing until 25-08, and one of the variables was displaced a couple of days. </P> <P>Do you know how to fix it? ... </P> Wed, 26 Aug 2015 16:00:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-producing-some-events-with-no-time/m-p/194165#M55934 msalaverry 2015-08-26T16:00:24Z Re: Why is my timechart search producing some events with no _time values and other field values are displaced in the resulting table? https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-producing-some-events-with-no-time/m-p/194166#M55935 <P>Try something like this</P> <PRE><CODE> host="myhost.com" NOT source=*access_log* AND "SearchA" | timechart span=1d dc(App) as NotAssigned | eval NotAssigned=NotAssigned+0 | append [search SearchB | timechart span=1d sum(Count) as Assigned ] | stats values(*) as * by _time | eval Time=strftime(_time, "%d-%m") |table Time, Assigned, NotAssigned </CODE></PRE> Wed, 26 Aug 2015 17:17:08 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-producing-some-events-with-no-time/m-p/194166#M55935 somesoni2 2015-08-26T17:17:08Z Re: Why is my timechart search producing some events with no _time values and other field values are displaced in the resulting table? https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-producing-some-events-with-no-time/m-p/194167#M55936 <P>Tried, but didn't work <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> .. Why is this happening?</P> Thu, 27 Aug 2015 14:49:14 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-producing-some-events-with-no-time/m-p/194167#M55936 msalaverry 2015-08-27T14:49:14Z Re: Why is my timechart search producing some events with no _time values and other field values are displaced in the resulting table? https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-producing-some-events-with-no-time/m-p/194168#M55937 <P>It is due to appendcols as there could be different dates available for both the queries. Could you please tell what went wrong with the query I suggested?</P> Thu, 27 Aug 2015 16:52:19 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-producing-some-events-with-no-time/m-p/194168#M55937 somesoni2 2015-08-27T16:52:19Z Re: Why is my timechart search producing some events with no _time values and other field values are displaced in the resulting table? https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-producing-some-events-with-no-time/m-p/194169#M55938 <P>Hey somesoni2... You were right, I updated the query and I missed to change appendcols to appen ... </P> <P>Seems to be ok now... Thanks a lot!</P> Thu, 27 Aug 2015 18:41:37 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-timechart-search-producing-some-events-with-no-time/m-p/194169#M55938 msalaverry 2015-08-27T18:41:37Z