Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

timechart count against si gives different max results for 2 intervals

Starlette
Contributor
‎10-10-2011 03:11 AM

I have si search "save" for every 5 mins as :

search = sourcetype="cisco_firewall" | sitimechart count

When running a report for last hour :
search = index=summary marker=cisco_firewall_05 | timechart count

I get line which is 200.000 events

BUT when i ran a "last 4 hours", I get a line in the +1milion count.
I doubt that i am using count over time wrong with si or is this unexpexted behaviour.

if I take a look at a slice for 5 mins in e.g. last 30 mins i get

10/10/11 11:30:00.000 AM 248483
10/10/11 11:31:00.000 AM 252576
10/10/11 11:32:00.000 AM 256538
10/10/11 11:33:00.000 AM 249775
10/10/11 11:34:00.000 AM 246672
10/10/11 11:35:00.000 AM 245773

And for last 4 hours i see 5 minutes bins wich are give the totals...

10/10/11 9:45:00.000 AM 1166499
10/10/11 9:50:00.000 AM 1201649
10/10/11 9:55:00.000 AM 1170088
10/10/11 10:00:00.000 AM 1186497
10/10/11 10:05:00.000 AM 1189967

So how to deal with this?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎10-10-2011 03:25 AM

I would try setting the span on the timechart command as you may find it is trying to figure one out itself which is giving inconsistent results.
Try span=5m to test 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎10-10-2011 03:25 AM

I would try setting the span on the timechart command as you may find it is trying to figure one out itself which is giving inconsistent results.
Try span=5m to test 🙂

Reply
Solved! Jump to solution

Starlette
Contributor
‎10-10-2011 03:28 AM

yeah that was the trick,,,,After the + hours the span=5 minutes is added, so thats why within the hour the results are 1/5 off ( just use 1 minute)

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...