Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

False group by time (microseconds range!)

splunkbeginner2
Path Finder
‎07-06-2014 01:03 AM

Hello,

I wanted to take a look at some data with splunk, as I was suddenly very surprised by its form. splunks showed me some maximum points, where he found a lot more events than in the average. The problem: When I took a look at it with an other query to see the time-ranges of each group I found something very interesting.

Splunk seems to group some events outside of the other ranges! - And I couldn't understand WHY?
thats my Query:
sourcetype=blablabla| stats min(UTC) max(UTC) count by _time

Unfortunately the result is the following:
False Splunk group by

I really would have liked you to upload the picture directly here. But the website said, that only PNG or JPG Files are allowed... And guess what: It didn't accepted my Windows Snipping tool result: Neither as PNG or JPG.
Meanwhile I reached a point where I can only say: Sorry Splunk. But such bugs REALLY sucks and are not worth the huge amount of money, we'll have to pay!

I hope that someone has an explanation and especially that the Splunk Team, which should be reading here, responds if possible, otherwise its very unlikely to recommend it for the company I am evaluating Splunk for. Especially because its not possible to report a bug now without using the Enterprise support...

Regards,

Xantor

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-06-2014 04:07 AM

Couple of points in your question, so let's go through them one by one.

  • You can submit bug reports without having Enterprise Support. Go to splunk.com -> Support -> Support Portal, that should be open for everyone.
  • You did manage to upload the picture directly here? I can see it.

As for your query, please run this:

sourcetype=blablabla| stats min(UTC) max(UTC) count by _time | eval time = strftime(_time, "%+")

Splunk formats the _time field in tables with second precision by default, I'm predicting that each row will have a different millisecond value... probably 0 for the count=18 one, and 332, 513, 659 for the other rows.

Maybe there's a problem with the timestamp recognition for some events? Do post the anonymized events that fall within that second along with the recognized _time value and the props.conf settings for that sourcetype.

0 Karma
Reply

splunkbeginner2
Path Finder
‎07-07-2014 09:59 AM

Hello Martin,

thanks. that type of support worked. when I tried to report a bug directly from splunk I just got the message, that the support portal is offline and I can use the enterprise support.

Yes you can view the picture, because it was hosted external on an other website. Otherwise it wasn't possible, but I reported it now.

I'll try to run the query as soon as I get home.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...