I wanted to take a look at some data with splunk, as I was suddenly very surprised by its form. splunks showed me some maximum points, where he found a lot more events than in the average. The problem: When I took a look at it with an other query to see the time-ranges of each group I found something very interesting.
Splunk seems to group some events outside of the other ranges! - And I couldn't understand WHY?
thats my Query:
sourcetype=blablabla| stats min(UTC) max(UTC) count by _time
Unfortunately the result is the following:
I really would have liked you to upload the picture directly here. But the website said, that only PNG or JPG Files are allowed... And guess what: It didn't accepted my Windows Snipping tool result: Neither as PNG or JPG.
Meanwhile I reached a point where I can only say: Sorry Splunk. But such bugs REALLY sucks and are not worth the huge amount of money, we'll have to pay!
I hope that someone has an explanation and especially that the Splunk Team, which should be reading here, responds if possible, otherwise its very unlikely to recommend it for the company I am evaluating Splunk for. Especially because its not possible to report a bug now without using the Enterprise support...
Couple of points in your question, so let's go through them one by one.
As for your query, please run this:
sourcetype=blablabla| stats min(UTC) max(UTC) count by _time | eval time = strftime(_time, "%+")
Splunk formats the
_time field in tables with second precision by default, I'm predicting that each row will have a different millisecond value... probably 0 for the
count=18 one, and 332, 513, 659 for the other rows.
Maybe there's a problem with the timestamp recognition for some events? Do post the anonymized events that fall within that second along with the recognized
_time value and the props.conf settings for that sourcetype.
thanks. that type of support worked. when I tried to report a bug directly from splunk I just got the message, that the support portal is offline and I can use the enterprise support.
Yes you can view the picture, because it was hosted external on an other website. Otherwise it wasn't possible, but I reported it now.
I'll try to run the query as soon as I get home.