Splunk Search

Chart command generates duplicate bins when span argument contains a fractional value

tscroggins
Influencer

In Splunk Enterprise 8.1, when using chart with spans containing fractional values of 0.54, 0.95, and others that result in rounding errors, duplicate bins are created.

For example:

| makeresults count=1000
| eval x=(random()/2147483647)*20
| chart count over x span=0.54

generates a duplicate bin at 9.72-10.26 with a count of 0.

| chart count over x span=1.54

generates a duplicate bin at 15.40-16.94 with a count of 0.

| chart count over x span=2.54

generates a duplicate bin at 15.24-17.78 with a count of 0.

Changing the x values results in different outcomes, of course, but rounding appears to be the cause.

| makeresults count=1000
| eval x=(random()/2147483647)*1000
| chart count over x span=10.54

generates duplicate bins at 31.62-42.16, 52.70-63.24, 94.86-105.40, and 642.94-653.48 with a count of 0.

| makeresults count=1000
| eval x=(random()/2147483647)*1000
| chart count over x span=10.95

generates duplicate bins at 32.85-43.80 and 153.30-164.25 with counts of 0.

| makeresults count=1000
| eval x=(random()/2147483647)*200000
| chart count over x span=100.54

generates 258 duplicate bins with counts of 0.

I haven't tested earlier versions of Splunk yet, but I'm curious if others are seeing the same issue. My personal Splunk account isn't attached to a support agreement, so I can't submit a bug report.

Labels (1)
Tags (3)
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...