All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

TA for Wunderground: Why are all the values not returned using the history feature?

agoriawala_splu
Splunk Employee
Splunk Employee
‎06-01-2015 11:15 AM

I am trying to use the history feature to retrieve daily weather values for San Francisco & Dallas using the search query :

sourcetype="wunderground" source="wunderground:SF"

sourcetype="wunderground" source="wunderground:Dallas"

and my json configuration file is

API feature = history

{ "country": "CA", "city": "San Francisco", "from":"2007-01-01", "to":"2015-05-01"}

{ "city": "Dallas", "country": "TX" ,"from":"2014-12-01", "to":"2014-12-10"}

The results for this vary in number of events from as low as 70 to sometimes 200-300 but they show results only for the year 2007 that also not the complete year.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎06-01-2015 12:27 PM

The default time that Splunk looks back is 2000 Days. Splunk consumes the API data and sets the _time field to the time of the Wunderground collection time. So therefore, we need to increase the time.

In local/props.conf, add this:

[wunderground]
MAX_DAYS_AGO = 10000

And restart. The data should start appearing in the correct time buckets.

0 Karma
Reply

agoriawala_splu
Splunk Employee
Splunk Employee
‎06-01-2015 05:15 PM

So I ran my search again using
sourcetype="wunderground" source="wunderground:SF"
for the config file - { "country": "CA", "city": "San Francisco", "from":"2007-01-01", "to":"2015-05-01"}

First I got 25 events for Jan 2007 in the results, then after running it again after a brief period I got more values for Jan & feb around 800. I repeated this process of running after a few intervals and got around 800 events per month for uptil May 2007.

Then when I ran the search again, it returned more values for January & February (the counts went up from 800 to around 2000) but they were all duplicates. Shortly after I received an email from wunderground stating I had exceeded the number of daily calls (500 since I am a free user). Also for 1st June 2015 I get events returned but they do not contain any data. What am I doing incorrectly? Please check the screenshots alt text.alt text

drive.google.com/file/d/0B8IDZa4NAwfqXzhUNmVydlFOQWs/view?usp=sharing
drive.google.com/file/d/0B8IDZa4NAwfqMjR2YkhUc1lFLUE/view?usp=sharing

0 Karma
Reply

agoriawala_splu
Splunk Employee
Splunk Employee
‎06-01-2015 12:43 PM

Thanks for the reply! So I tried that and the results that followed weren't different than what I was getting earlier. Right now I got values only for the year 2007. I also tried this for the time range 2014-12-01 to 2014-12-22 as pointed out by another answer in this group. But I still didn't get all the values.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...