Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Summing seems to quadruple the data I'm expecting

mdblr408
New Member
‎08-11-2018 08:54 PM

Hi, I have a list of jobs that I'm trying to chart by the amount of errors each parent job sees. For some reason, the values in the chart are always quadrupled. For example, I can see 5 errors in the data, but the chart shows twenty. In the end, I want to chart the sum of errors of the child jobs aggregate by their parent id. This is more or less the main idea in the query I've tried variations of : chart sum(job.vals.errors) by job.meta.parentkey | sort - _time. I'm very new to Splunk and after a few hours of going through the docs and reading questions I thought I would reach out to the community for answers. Below if the structure of the jobs I'm trying to chart. 

  {
                        "name":  "the child job",
                        "vals": {
                            errors: 1,
                            passes: 3
                        },
                        "meta": {
                            "parentkey": 012345
                        }
    }

Thanks for taking a moment to look at this!

0 Karma
Reply

DalJeanis
Legend
‎08-12-2018 02:23 PM

Please give us the entire search language, and "obfuscate" any sensitive information. The chances are pretty good that the problem is in how you are extracting the JSON, rather than the code you showed us.

Given no more information, I would approach that in two steps... first extract each child job into a single record with the fields parentkey, name, errors, passes, then use stats on those records.

Ummm. one possibility is that you have four runs of the data, or four records and are somehow getting a cross join, but no way to tell based on what you showed us.

0 Karma
Reply

mdblr408
New Member
‎08-15-2018 03:30 PM

Thanks for your help. Taking your advice to the best of my knowledge, I used spath to extract the errors and parenKey fields in my search. Once I did this, I was able to use a slightly different chart function successfully. Thanks again for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...