Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Summing seems to quadruple the data I'm expecting

mdblr408
New Member
‎08-11-2018 08:54 PM

Hi, I have a list of jobs that I'm trying to chart by the amount of errors each parent job sees. For some reason, the values in the chart are always quadrupled. For example, I can see 5 errors in the data, but the chart shows twenty. In the end, I want to chart the sum of errors of the child jobs aggregate by their parent id. This is more or less the main idea in the query I've tried variations of : chart sum(job.vals.errors) by job.meta.parentkey | sort - _time. I'm very new to Splunk and after a few hours of going through the docs and reading questions I thought I would reach out to the community for answers. Below if the structure of the jobs I'm trying to chart. 

  {
                        "name":  "the child job",
                        "vals": {
                            errors: 1,
                            passes: 3
                        },
                        "meta": {
                            "parentkey": 012345
                        }
    }

Thanks for taking a moment to look at this!

0 Karma
Reply

DalJeanis
SplunkTrust
SplunkTrust
‎08-12-2018 02:23 PM

Please give us the entire search language, and "obfuscate" any sensitive information. The chances are pretty good that the problem is in how you are extracting the JSON, rather than the code you showed us.

Given no more information, I would approach that in two steps... first extract each child job into a single record with the fields parentkey, name, errors, passes, then use stats on those records.

Ummm. one possibility is that you have four runs of the data, or four records and are somehow getting a cross join, but no way to tell based on what you showed us.

0 Karma
Reply

mdblr408
New Member
‎08-15-2018 03:30 PM

Thanks for your help. Taking your advice to the best of my knowledge, I used spath to extract the errors and parenKey fields in my search. Once I did this, I was able to use a slightly different chart function successfully. Thanks again for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...