Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

False group by time (microseconds range!)

splunkbeginner2
Path Finder
‎07-06-2014 01:03 AM

Hello,

I wanted to take a look at some data with splunk, as I was suddenly very surprised by its form. splunks showed me some maximum points, where he found a lot more events than in the average. The problem: When I took a look at it with an other query to see the time-ranges of each group I found something very interesting.

Splunk seems to group some events outside of the other ranges! - And I couldn't understand WHY?
thats my Query:
sourcetype=blablabla| stats min(UTC) max(UTC) count by _time

Unfortunately the result is the following:
False Splunk group by

I really would have liked you to upload the picture directly here. But the website said, that only PNG or JPG Files are allowed... And guess what: It didn't accepted my Windows Snipping tool result: Neither as PNG or JPG.
Meanwhile I reached a point where I can only say: Sorry Splunk. But such bugs REALLY sucks and are not worth the huge amount of money, we'll have to pay!

I hope that someone has an explanation and especially that the Splunk Team, which should be reading here, responds if possible, otherwise its very unlikely to recommend it for the company I am evaluating Splunk for. Especially because its not possible to report a bug now without using the Enterprise support...

Regards,

Xantor

Tags (3)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-06-2014 04:07 AM

Couple of points in your question, so let's go through them one by one.

  • You can submit bug reports without having Enterprise Support. Go to splunk.com -> Support -> Support Portal, that should be open for everyone.
  • You did manage to upload the picture directly here? I can see it.

As for your query, please run this:

sourcetype=blablabla| stats min(UTC) max(UTC) count by _time | eval time = strftime(_time, "%+")

Splunk formats the _time field in tables with second precision by default, I'm predicting that each row will have a different millisecond value... probably 0 for the count=18 one, and 332, 513, 659 for the other rows.

Maybe there's a problem with the timestamp recognition for some events? Do post the anonymized events that fall within that second along with the recognized _time value and the props.conf settings for that sourcetype.

0 Karma
Reply

splunkbeginner2
Path Finder
‎07-07-2014 09:59 AM

Hello Martin,

thanks. that type of support worked. when I tried to report a bug directly from splunk I just got the message, that the support portal is offline and I can use the enterprise support.

Yes you can view the picture, because it was hosted external on an other website. Otherwise it wasn't possible, but I reported it now.

I'll try to run the query as soon as I get home.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...