Splunk ITSI

Can you help me with the following search in Splunk IT Service Intelligence?

Hemant1
Explorer

Hi team, could you please help me in the below query .

When i am running the following search, it is not giving any data if i increase the time range to more than 8 hours. It's only giving 8 hours after that blank .

(index=hybecmprod OR index=hybadmprod) "CLUB REGISTRATION END"
| rename UserID_End as UserID | sort by HYB_CLUB_END desc
| join UserID [search index=hybecmprod "Club registration START" | rename userID_Start as UserID | sort by Hybris_Club_Start desc ]
|dedup UserID
| eval et=strptime(HYB_CLUB_END,"%Y/%m/%d %H:%M:%S") | eval st=strptime(Hybris_Club_Start,"%Y/%m/%d %H:%M:%S") | eval diff = abs(et-st)
| timechart span=1h avg(diff)

0 Karma

szhou_splunk
Splunk Employee
Splunk Employee

Hi, @Hemant1 maybe you hit the limit of max of 50K records returned by subsearch, we can change the limit in limits.conf but I encourage you not using join command here , maybe you can use "*stats ... by UserID" instead. You can also refer to https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo....

0 Karma

Hemant1
Explorer

this is how i am getting data when i am running query for 10 hr.
2018-11-05 02:00

2018-11-05 03:00

2018-11-05 04:00

2018-11-05 05:00

2018-11-05 06:00 1.291497975708502
2018-11-05 07:00 1.0997008973080757
2018-11-05 08:00 1.2740183792815372
2018-11-05 09:00 1.790200138026225
2018-11-05 10:00 2.1325678496868474
2018-11-05 11:00 2.3029525032092426
2018-11-05 12:00 2.6684131736526946

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you sure the data is present in both indexes for all 10 hours?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Hemant1
Explorer

Yes data is present in both the indexes when i am putting the time range for last 24 hr , the query showing data for some hour only.

2018-11-05 13:00

2018-11-05 14:00

2018-11-05 15:00

2018-11-05 16:00

2018-11-05 17:00

2018-11-05 18:00

2018-11-05 19:00 3.434729064039409
2018-11-05 20:00 3.149888143176734
2018-11-05 21:00 3.30684500393391
2018-11-05 22:00 4.191972076788831
2018-11-05 23:00 3.518193224592221
2018-11-06 00:00 3.2700892857142856
2018-11-06 01:00 1.8670694864048338
2018-11-06 02:00 2.3823529411764706
2018-11-06 03:00 0.8616600790513834
2018-11-06 04:00 0.7120786516853933
2018-11-06 05:00 0.6442786069651741

And when i am putting the time range in which data was not coming then its showing if i only keep that time range.
2018-11-05 13:00 2.495167286245353
2018-11-05 14:00 2.5229508196721313
2018-11-05 15:00 2.86278964107224
2018-11-05 16:00 2.9426594167078597
2018-11-05 17:00 3.098828323993887
2018-11-05 18:00 7.166666666666667

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...