Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me with the following search in Splunk IT Service Intelligence?

Hemant1
Explorer
‎11-05-2018 03:32 AM

Hi team, could you please help me in the below query .

When i am running the following search, it is not giving any data if i increase the time range to more than 8 hours. It's only giving 8 hours after that blank .

(index=hybecmprod OR index=hybadmprod) "CLUB REGISTRATION END"
| rename UserID_End as UserID | sort by HYB_CLUB_END desc
| join UserID [search index=hybecmprod "Club registration START" | rename userID_Start as UserID | sort by Hybris_Club_Start desc ]
|dedup UserID
| eval et=strptime(HYB_CLUB_END,"%Y/%m/%d %H:%M:%S") | eval st=strptime(Hybris_Club_Start,"%Y/%m/%d %H:%M:%S") | eval diff = abs(et-st)
| timechart span=1h avg(diff)

0 Karma
Reply

szhou_splunk
Splunk Employee
Splunk Employee
‎10-22-2019 04:28 PM

Hi, @Hemant1 maybe you hit the limit of max of 50K records returned by subsearch, we can change the limit in limits.conf but I encourage you not using join command here , maybe you can use "*stats ... by UserID" instead. You can also refer to https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo....

0 Karma
Reply

Hemant1
Explorer
‎11-05-2018 03:34 AM

this is how i am getting data when i am running query for 10 hr.
2018-11-05 02:00

2018-11-05 03:00

2018-11-05 04:00

2018-11-05 05:00

2018-11-05 06:00 1.291497975708502
2018-11-05 07:00 1.0997008973080757
2018-11-05 08:00 1.2740183792815372
2018-11-05 09:00 1.790200138026225
2018-11-05 10:00 2.1325678496868474
2018-11-05 11:00 2.3029525032092426
2018-11-05 12:00 2.6684131736526946

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-05-2018 04:08 AM

Are you sure the data is present in both indexes for all 10 hours?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Hemant1
Explorer
‎11-05-2018 10:58 PM

Yes data is present in both the indexes when i am putting the time range for last 24 hr , the query showing data for some hour only.

2018-11-05 13:00

2018-11-05 14:00

2018-11-05 15:00

2018-11-05 16:00

2018-11-05 17:00

2018-11-05 18:00

2018-11-05 19:00 3.434729064039409
2018-11-05 20:00 3.149888143176734
2018-11-05 21:00 3.30684500393391
2018-11-05 22:00 4.191972076788831
2018-11-05 23:00 3.518193224592221
2018-11-06 00:00 3.2700892857142856
2018-11-06 01:00 1.8670694864048338
2018-11-06 02:00 2.3823529411764706
2018-11-06 03:00 0.8616600790513834
2018-11-06 04:00 0.7120786516853933
2018-11-06 05:00 0.6442786069651741

And when i am putting the time range in which data was not coming then its showing if i only keep that time range.
2018-11-05 13:00 2.495167286245353
2018-11-05 14:00 2.5229508196721313
2018-11-05 15:00 2.86278964107224
2018-11-05 16:00 2.9426594167078597
2018-11-05 17:00 3.098828323993887
2018-11-05 18:00 7.166666666666667

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...