All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

TA for Wunderground: Why are all the values not returned using the history feature?

agoriawala_splu
Splunk Employee
Splunk Employee
‎06-01-2015 11:15 AM

I am trying to use the history feature to retrieve daily weather values for San Francisco & Dallas using the search query :

sourcetype="wunderground" source="wunderground:SF"

sourcetype="wunderground" source="wunderground:Dallas"

and my json configuration file is

API feature = history

{ "country": "CA", "city": "San Francisco", "from":"2007-01-01", "to":"2015-05-01"}

{ "city": "Dallas", "country": "TX" ,"from":"2014-12-01", "to":"2014-12-10"}

The results for this vary in number of events from as low as 70 to sometimes 200-300 but they show results only for the year 2007 that also not the complete year.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎06-01-2015 12:27 PM

The default time that Splunk looks back is 2000 Days. Splunk consumes the API data and sets the _time field to the time of the Wunderground collection time. So therefore, we need to increase the time.

In local/props.conf, add this:

[wunderground]
MAX_DAYS_AGO = 10000

And restart. The data should start appearing in the correct time buckets.

0 Karma
Reply

agoriawala_splu
Splunk Employee
Splunk Employee
‎06-01-2015 05:15 PM

So I ran my search again using
sourcetype="wunderground" source="wunderground:SF"
for the config file - { "country": "CA", "city": "San Francisco", "from":"2007-01-01", "to":"2015-05-01"}

First I got 25 events for Jan 2007 in the results, then after running it again after a brief period I got more values for Jan & feb around 800. I repeated this process of running after a few intervals and got around 800 events per month for uptil May 2007.

Then when I ran the search again, it returned more values for January & February (the counts went up from 800 to around 2000) but they were all duplicates. Shortly after I received an email from wunderground stating I had exceeded the number of daily calls (500 since I am a free user). Also for 1st June 2015 I get events returned but they do not contain any data. What am I doing incorrectly? Please check the screenshots alt text.alt text

drive.google.com/file/d/0B8IDZa4NAwfqXzhUNmVydlFOQWs/view?usp=sharing
drive.google.com/file/d/0B8IDZa4NAwfqMjR2YkhUc1lFLUE/view?usp=sharing

0 Karma
Reply

agoriawala_splu
Splunk Employee
Splunk Employee
‎06-01-2015 12:43 PM

Thanks for the reply! So I tried that and the results that followed weren't different than what I was getting earlier. Right now I got values only for the year 2007. I also tried this for the time range 2014-12-01 to 2014-12-22 as pointed out by another answer in this group. But I still didn't get all the values.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...