Splunk Search

False group by time (microseconds range!)

splunkbeginner2
Path Finder

Hello,

I wanted to take a look at some data with splunk, as I was suddenly very surprised by its form. splunks showed me some maximum points, where he found a lot more events than in the average. The problem: When I took a look at it with an other query to see the time-ranges of each group I found something very interesting.

Splunk seems to group some events outside of the other ranges! - And I couldn't understand WHY?
thats my Query:
sourcetype=blablabla| stats min(UTC) max(UTC) count by _time

Unfortunately the result is the following:
False Splunk group by

I really would have liked you to upload the picture directly here. But the website said, that only PNG or JPG Files are allowed... And guess what: It didn't accepted my Windows Snipping tool result: Neither as PNG or JPG.
Meanwhile I reached a point where I can only say: Sorry Splunk. But such bugs REALLY sucks and are not worth the huge amount of money, we'll have to pay!

I hope that someone has an explanation and especially that the Splunk Team, which should be reading here, responds if possible, otherwise its very unlikely to recommend it for the company I am evaluating Splunk for. Especially because its not possible to report a bug now without using the Enterprise support...

Regards,

Xantor

Tags (3)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Couple of points in your question, so let's go through them one by one.

  • You can submit bug reports without having Enterprise Support. Go to splunk.com -> Support -> Support Portal, that should be open for everyone.
  • You did manage to upload the picture directly here? I can see it.

As for your query, please run this:

sourcetype=blablabla| stats min(UTC) max(UTC) count by _time | eval time = strftime(_time, "%+")

Splunk formats the _time field in tables with second precision by default, I'm predicting that each row will have a different millisecond value... probably 0 for the count=18 one, and 332, 513, 659 for the other rows.

Maybe there's a problem with the timestamp recognition for some events? Do post the anonymized events that fall within that second along with the recognized _time value and the props.conf settings for that sourcetype.

0 Karma

splunkbeginner2
Path Finder

Hello Martin,

thanks. that type of support worked. when I tried to report a bug directly from splunk I just got the message, that the support portal is offline and I can use the enterprise support.

Yes you can view the picture, because it was hosted external on an other website. Otherwise it wasn't possible, but I reported it now.

I'll try to run the query as soon as I get home.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...