Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

False group by time (microseconds range!)

splunkbeginner2
Path Finder
‎07-06-2014 01:03 AM

Hello,

I wanted to take a look at some data with splunk, as I was suddenly very surprised by its form. splunks showed me some maximum points, where he found a lot more events than in the average. The problem: When I took a look at it with an other query to see the time-ranges of each group I found something very interesting.

Splunk seems to group some events outside of the other ranges! - And I couldn't understand WHY?
thats my Query:
sourcetype=blablabla| stats min(UTC) max(UTC) count by _time

Unfortunately the result is the following:
False Splunk group by

I really would have liked you to upload the picture directly here. But the website said, that only PNG or JPG Files are allowed... And guess what: It didn't accepted my Windows Snipping tool result: Neither as PNG or JPG.
Meanwhile I reached a point where I can only say: Sorry Splunk. But such bugs REALLY sucks and are not worth the huge amount of money, we'll have to pay!

I hope that someone has an explanation and especially that the Splunk Team, which should be reading here, responds if possible, otherwise its very unlikely to recommend it for the company I am evaluating Splunk for. Especially because its not possible to report a bug now without using the Enterprise support...

Regards,

Xantor

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-06-2014 04:07 AM

Couple of points in your question, so let's go through them one by one.

  • You can submit bug reports without having Enterprise Support. Go to splunk.com -> Support -> Support Portal, that should be open for everyone.
  • You did manage to upload the picture directly here? I can see it.

As for your query, please run this:

sourcetype=blablabla| stats min(UTC) max(UTC) count by _time | eval time = strftime(_time, "%+")

Splunk formats the _time field in tables with second precision by default, I'm predicting that each row will have a different millisecond value... probably 0 for the count=18 one, and 332, 513, 659 for the other rows.

Maybe there's a problem with the timestamp recognition for some events? Do post the anonymized events that fall within that second along with the recognized _time value and the props.conf settings for that sourcetype.

0 Karma
Reply

splunkbeginner2
Path Finder
‎07-07-2014 09:59 AM

Hello Martin,

thanks. that type of support worked. when I tried to report a bug directly from splunk I just got the message, that the support portal is offline and I can use the enterprise support.

Yes you can view the picture, because it was hosted external on an other website. Otherwise it wasn't possible, but I reported it now.

I'll try to run the query as soon as I get home.

0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!