Splunk ITSI

Can you help me with the following search in Splunk IT Service Intelligence?

Hemant1
Explorer

Hi team, could you please help me in the below query .

When i am running the following search, it is not giving any data if i increase the time range to more than 8 hours. It's only giving 8 hours after that blank .

(index=hybecmprod OR index=hybadmprod) "CLUB REGISTRATION END"
| rename UserID_End as UserID | sort by HYB_CLUB_END desc
| join UserID [search index=hybecmprod "Club registration START" | rename userID_Start as UserID | sort by Hybris_Club_Start desc ]
|dedup UserID
| eval et=strptime(HYB_CLUB_END,"%Y/%m/%d %H:%M:%S") | eval st=strptime(Hybris_Club_Start,"%Y/%m/%d %H:%M:%S") | eval diff = abs(et-st)
| timechart span=1h avg(diff)

0 Karma

szhou_splunk
Splunk Employee
Splunk Employee

Hi, @Hemant1 maybe you hit the limit of max of 50K records returned by subsearch, we can change the limit in limits.conf but I encourage you not using join command here , maybe you can use "*stats ... by UserID" instead. You can also refer to https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo....

0 Karma

Hemant1
Explorer

this is how i am getting data when i am running query for 10 hr.
2018-11-05 02:00

2018-11-05 03:00

2018-11-05 04:00

2018-11-05 05:00

2018-11-05 06:00 1.291497975708502
2018-11-05 07:00 1.0997008973080757
2018-11-05 08:00 1.2740183792815372
2018-11-05 09:00 1.790200138026225
2018-11-05 10:00 2.1325678496868474
2018-11-05 11:00 2.3029525032092426
2018-11-05 12:00 2.6684131736526946

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you sure the data is present in both indexes for all 10 hours?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Hemant1
Explorer

Yes data is present in both the indexes when i am putting the time range for last 24 hr , the query showing data for some hour only.

2018-11-05 13:00

2018-11-05 14:00

2018-11-05 15:00

2018-11-05 16:00

2018-11-05 17:00

2018-11-05 18:00

2018-11-05 19:00 3.434729064039409
2018-11-05 20:00 3.149888143176734
2018-11-05 21:00 3.30684500393391
2018-11-05 22:00 4.191972076788831
2018-11-05 23:00 3.518193224592221
2018-11-06 00:00 3.2700892857142856
2018-11-06 01:00 1.8670694864048338
2018-11-06 02:00 2.3823529411764706
2018-11-06 03:00 0.8616600790513834
2018-11-06 04:00 0.7120786516853933
2018-11-06 05:00 0.6442786069651741

And when i am putting the time range in which data was not coming then its showing if i only keep that time range.
2018-11-05 13:00 2.495167286245353
2018-11-05 14:00 2.5229508196721313
2018-11-05 15:00 2.86278964107224
2018-11-05 16:00 2.9426594167078597
2018-11-05 17:00 3.098828323993887
2018-11-05 18:00 7.166666666666667

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...