All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

TA for Wunderground: Why are all the values not returned using the history feature?

agoriawala_splu
Splunk Employee
Splunk Employee
‎06-01-2015 11:15 AM

I am trying to use the history feature to retrieve daily weather values for San Francisco & Dallas using the search query :

sourcetype="wunderground" source="wunderground:SF"

sourcetype="wunderground" source="wunderground:Dallas"

and my json configuration file is

API feature = history

{ "country": "CA", "city": "San Francisco", "from":"2007-01-01", "to":"2015-05-01"}

{ "city": "Dallas", "country": "TX" ,"from":"2014-12-01", "to":"2014-12-10"}

The results for this vary in number of events from as low as 70 to sometimes 200-300 but they show results only for the year 2007 that also not the complete year.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎06-01-2015 12:27 PM

The default time that Splunk looks back is 2000 Days. Splunk consumes the API data and sets the _time field to the time of the Wunderground collection time. So therefore, we need to increase the time.

In local/props.conf, add this:

[wunderground]
MAX_DAYS_AGO = 10000

And restart. The data should start appearing in the correct time buckets.

0 Karma
Reply

agoriawala_splu
Splunk Employee
Splunk Employee
‎06-01-2015 05:15 PM

So I ran my search again using
sourcetype="wunderground" source="wunderground:SF"
for the config file - { "country": "CA", "city": "San Francisco", "from":"2007-01-01", "to":"2015-05-01"}

First I got 25 events for Jan 2007 in the results, then after running it again after a brief period I got more values for Jan & feb around 800. I repeated this process of running after a few intervals and got around 800 events per month for uptil May 2007.

Then when I ran the search again, it returned more values for January & February (the counts went up from 800 to around 2000) but they were all duplicates. Shortly after I received an email from wunderground stating I had exceeded the number of daily calls (500 since I am a free user). Also for 1st June 2015 I get events returned but they do not contain any data. What am I doing incorrectly? Please check the screenshots alt text.alt text

drive.google.com/file/d/0B8IDZa4NAwfqXzhUNmVydlFOQWs/view?usp=sharing
drive.google.com/file/d/0B8IDZa4NAwfqMjR2YkhUc1lFLUE/view?usp=sharing

0 Karma
Reply

agoriawala_splu
Splunk Employee
Splunk Employee
‎06-01-2015 12:43 PM

Thanks for the reply! So I tried that and the results that followed weren't different than what I was getting earlier. Right now I got values only for the year 2007. I also tried this for the time range 2014-12-01 to 2014-12-22 as pointed out by another answer in this group. But I still didn't get all the values.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...