Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

what makes tstats on _internal go wrong?

MonkeyK
Builder
‎10-22-2021 02:20 PM

My teammate and I have been trying to summarize our environment to automatically build a data dictionary.  Our last feature was to add a lastSeen time to use as a rudimentary data integrity check.  
Recently this has stopped working on the _internal index.  As in tstats max time on _internal is a week ago, even though a straight SPL search on index=_internal returns results for today or any other arbitrary slice of time I query over the last week.  This suggests to me that the tsidx is messed up for _internal.  

But to make matters more confusing, yesterday I was able to submit the same query and get a correct max(_time) for index=_internal.  

Does anyone have an idea of what is going on with this behavior? Better yet, what I need to do to fix it?

If it matters, this is a clustered search head environment and we also have quite a few indexers

 

usual results

 

 

 

| tstats count max(_time) as lastSeen where index=_* earliest=-20d@d latest=@m by index
| convert ctime(lastSeen)

 

 

 

index count lastSeen

_audit99999999910/22/2021 15:39:59
_internal999999910/14/2021 20:09:35
_introspection99999999910/22/2021 15:39:59
_telemetry99910/22/2021 12:05:05
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎10-25-2021 01:26 PM

It's a known issue but not currently listed on  the known issues page (I have an active support case open on it).

I did ask why it's not on the known issues page, I'll ask support again for it to be listed...

Basically for tstats on the internal index you can add include_reduced_buckets=t, and that should make your results accurate.

However I found this made the search dramatically slower so it was better to not use tstats, they haven't provided a version with a bugfix yet...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎10-23-2021 10:49 PM

Which splunk version? I've hit an issue that appears to be a known issue with tstats and the internal index in 8.2.2...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

MonkeyK
Builder
‎10-25-2021 07:08 AM

I'm on 8.2.2 as well.
If the problem is really just _internal, I'm not super concerned.  But it really makes me uncomfortable that there might be errors with other indexes.

0 Karma
Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎10-25-2021 01:26 PM

It's a known issue but not currently listed on  the known issues page (I have an active support case open on it).

I did ask why it's not on the known issues page, I'll ask support again for it to be listed...

Basically for tstats on the internal index you can add include_reduced_buckets=t, and that should make your results accurate.

However I found this made the search dramatically slower so it was better to not use tstats, they haven't provided a version with a bugfix yet...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...