Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

BUG: tstats not displaying latest time modifier correctly

the_wolverine
Champion
‎11-12-2015 12:15 PM

It appears that tstats will not honor my latest value. Instead is silently uses "now"

| tstats count where index=main earliest="11/12/2015:09:00:00" latest="11/12/2015:10:00:00"

Returns a count from my earliest until now. I want latest = the date I specified.

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎11-12-2015 12:45 PM

Looks like this is just a bug in the UI then. The UI displays the incorrect latest time but the counts are as expected:

| tstats count where index=main earliest="11/12/2015:09:00:00" latest="11/12/2015:10:00:00"

12345 events (11/12/15 9:00:00.000 AM to 11/12/15 12:41:54.000 PM )

View solution in original post

Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎11-12-2015 12:45 PM

Looks like this is just a bug in the UI then. The UI displays the incorrect latest time but the counts are as expected:

| tstats count where index=main earliest="11/12/2015:09:00:00" latest="11/12/2015:10:00:00"

12345 events (11/12/15 9:00:00.000 AM to 11/12/15 12:41:54.000 PM )

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎11-12-2015 12:27 PM

Hi the_wolverine,

Yes, this is possible:

 | tstats count where earliest="11/11/2015:00:00:00" latest="11/12/2015:17:12:00" index=_internal groupby _time span=1m
 | tstats count where index=_internal earliest="11/11/2015:00:00:00" latest="11/12/2015:17:12:00" groupby _time span=1m
 | tstats count AS myCount where earliest="11/11/2015:00:00:00" latest="11/12/2015:17:12:00" index=_internal

all searches use latestTime 2015-11-12T17:12:00.000+13:00 which can be verified in the search.log
This is tested on Splunk 6.3.1 on Linux.

cheers, MuS

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎11-12-2015 12:44 PM

Yes, this is Splunk version related, because on Splunk 6.3.0 this search 

 | tstats count where index=_internal earliest="11/11/2015:00:00:00" latest="11/12/2015:17:12:00"

will use latestTime 2015-11-13T09:41:22.000+13:00 and shows 2,624,870 events (11/11/15 12:00:00.000 AM to 11/13/15 9:41:22.000 AM)
all the other searches from my answer also fail to use latest correct - bug alert....

Reply
Solved! Jump to solution

the_wolverine
Champion
‎11-12-2015 12:32 PM

So it looks like the order is important. If you run the same query with the index before the time specifiers, then the latest is not honored. If the syntax is not documented then this is a bug -- or I am misunderstanding how tstats work where time modifiers need to come first.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎11-12-2015 12:38 PM

no quiet sure, because this works as well:

 | tstats count where index=_internal earliest="11/11/2015:00:00:00" latest="11/12/2015:17:12:00"

returns 256,955 events (before 12/11/2015 17:12:00.000) and uses latestTime 2015-11-12T17:12:00.000+13:00 in the search..... maybe Splunk version related?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...