Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Does date_hour work properly

xvxt006
Contributor
‎10-28-2013 04:02 PM

Hi,
I am getting order count today by hour vs last week same day by hour and having a column chart. This works fine most of the times but some times counts are wrong for the sub query. It looks like the counts are being shifted. For example, 9th hour shows 6th hour counts, etc. This does not happpen all the time but don't know why this happens some times. Any idea?

sourcetype="access_combined_wcookie" (uri=/submitOrder) earliest=-7d@d latest=-6d@d | stats count as LastWeek by date_hour | appendcols [search sourcetype="access_combined_wcookie" (uri=/submitOrder) earliest=@d latest=now | stats count as Today by date_hour]

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-28-2013 04:51 PM

I had this inconsistent behavior for appendcols as well. I replaced the appendcols with join and was able to get more consistent result with data in same format. Try below and let me know if it helped.

sourcetype="access_combined_wcookie" (uri=/submitOrder) earliest=-7d@d latest=-6d@d | stats count as LastWeek by date_hour | join type=outer date_hour [search sourcetype="access_combined_wcookie" (uri=/submitOrder) earliest=@d latest=now | stats count as Today by date_hour]

View solution in original post

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎10-28-2013 05:25 PM

It could perhaps be due to the fact that the date_* fields are extracted as-is from the events, and do not take timezones into consideration (which _time) does.

Thus you might be better off with extracting this information yourself with

| eval hr=strftime(_time, "%H")|

before the stats (in both inner and outer searches). Then use

by hr

instead of

by date_hour

/k

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎10-29-2013 12:02 AM

You have read the documentation for appendcols, right?

Synopsis

Appends the fields of the subsearch results to current results, first results to first result, second to second, etc.

If there are no results for a certain time slot in either of the searches, the results would be shifted, as per documentation.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Appendcols

/K

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎10-28-2013 08:53 PM

Hi Kristian, Thanks for your suggestion. I tried it and it showed the same behavior. Looks like it is due to appendcols as per below answer.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-28-2013 04:51 PM

I had this inconsistent behavior for appendcols as well. I replaced the appendcols with join and was able to get more consistent result with data in same format. Try below and let me know if it helped.

sourcetype="access_combined_wcookie" (uri=/submitOrder) earliest=-7d@d latest=-6d@d | stats count as LastWeek by date_hour | join type=outer date_hour [search sourcetype="access_combined_wcookie" (uri=/submitOrder) earliest=@d latest=now | stats count as Today by date_hour]
Reply
Solved! Jump to solution

xvxt006
Contributor
‎10-28-2013 08:52 PM

Thank you. It seems to be working fine. I have to wait few days to see if i get the behavior again. Thanks for your help.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...