Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Summing seems to quadruple the data I'm expecting

mdblr408
New Member
‎08-11-2018 08:54 PM

Hi, I have a list of jobs that I'm trying to chart by the amount of errors each parent job sees. For some reason, the values in the chart are always quadrupled. For example, I can see 5 errors in the data, but the chart shows twenty. In the end, I want to chart the sum of errors of the child jobs aggregate by their parent id. This is more or less the main idea in the query I've tried variations of : chart sum(job.vals.errors) by job.meta.parentkey | sort - _time. I'm very new to Splunk and after a few hours of going through the docs and reading questions I thought I would reach out to the community for answers. Below if the structure of the jobs I'm trying to chart. 

  {
                        "name":  "the child job",
                        "vals": {
                            errors: 1,
                            passes: 3
                        },
                        "meta": {
                            "parentkey": 012345
                        }
    }

Thanks for taking a moment to look at this!

0 Karma
Reply

DalJeanis
Legend
‎08-12-2018 02:23 PM

Please give us the entire search language, and "obfuscate" any sensitive information. The chances are pretty good that the problem is in how you are extracting the JSON, rather than the code you showed us.

Given no more information, I would approach that in two steps... first extract each child job into a single record with the fields parentkey, name, errors, passes, then use stats on those records.

Ummm. one possibility is that you have four runs of the data, or four records and are somehow getting a cross join, but no way to tell based on what you showed us.

0 Karma
Reply

mdblr408
New Member
‎08-15-2018 03:30 PM

Thanks for your help. Taking your advice to the best of my knowledge, I used spath to extract the errors and parenKey fields in my search. Once I did this, I was able to use a slightly different chart function successfully. Thanks again for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...