topic Re: Timechart with latest() doesn't display results when used on its own in Splunk Search

Timechart with latest() doesn't display results when used on its own

echalex — Mon, 15 Aug 2016 08:29:50 GMT

Hi,

I'm trying to follow the disk usage as gather by the NIX app. I think the most appropriate timechart function would be latest() since neither max() nor min() are quite what I need. However, I've noticed the weirdness that latest() doesn't display any values in the visualisation *when used on its own. BUT, if I also include max(), then both values will be shown.

Works (draws graphs for both values):

index=os host=foo OR host=bar sourcetype=df|eval hostmount=host+":"+MountedOn | timechart span=1h max(UsePct), latest(UsePct)  by hostmount

Doesn't work (no graph is drawn):

index=os host=foo OR host=bar sourcetype=df|eval hostmount=host+":"+MountedOn | timechart span=1h latest(UsePct)  by hostmount

I've noticed that it also works if I use latest() in combination with any other statistical function, such as median(), avg(), min(), etc. But it just doesn't work on its own. I'm using Splunk 6.2.4. Is this a bug or just something I'm not getting?

Re: Timechart with latest() doesn't display results when used on its own

maciep — Tue, 16 Aug 2016 00:55:06 GMT

I just tried on 6.3.4 and it seems to be the same. If I had to guess, I'd say the problem is that latest doesn't work on numbers exclusively. Which is nice, because you may want to get the latest value of any field, strings included.

So with that in mind, using latest leaves the "%" on that field and maybe the timechart doesn't know what to do with it. Where it's possible that the other stats functions (max, avg, median, etc) are converting it to a number to actually perform the statistical function? And maybe if they're already doing it, then it gets done for latest too when it's included in the list?

I did notice that if I run this eval before the timechart, it seems to work with latest() on its own

eval UsePct = trim(UsePct,"%")

Not sure if there is a more "inherent" way of telling the timechart to just convert it to a number itself...

Re: Timechart with latest() doesn't display results when used on its own

echalex — Tue, 16 Aug 2016 07:45:03 GMT

Aha! Yes, you're definitely on the right track. I didn't consider that UsePct actually is a string with a %-sign at the end. When I check under the statistics-tab, I can see that latest(UsePct) on its own shows the values with a %-sign. If I also include max(UsePct), the sign is dropped from both values. Odd behaviour, perhaps, but whether it's a bug might be debatable.
Your solutions is probably the simplest. Thanks!

Re: Timechart with latest() doesn't display results when used on its own

echalex — Tue, 16 Aug 2016 07:56:27 GMT

Had to check. tonumber() won't work without trim(), so your solution seems the best.