Splunk Search
Highlighted

False group by time (microseconds range!)

Path Finder

Hello,

I wanted to take a look at some data with splunk, as I was suddenly very surprised by its form. splunks showed me some maximum points, where he found a lot more events than in the average. The problem: When I took a look at it with an other query to see the time-ranges of each group I found something very interesting.

Splunk seems to group some events outside of the other ranges! - And I couldn't understand WHY?
thats my Query:
sourcetype=blablabla| stats min(UTC) max(UTC) count by _time

Unfortunately the result is the following:
False Splunk group by

I really would have liked you to upload the picture directly here. But the website said, that only PNG or JPG Files are allowed... And guess what: It didn't accepted my Windows Snipping tool result: Neither as PNG or JPG.
Meanwhile I reached a point where I can only say: Sorry Splunk. But such bugs REALLY sucks and are not worth the huge amount of money, we'll have to pay!

I hope that someone has an explanation and especially that the Splunk Team, which should be reading here, responds if possible, otherwise its very unlikely to recommend it for the company I am evaluating Splunk for. Especially because its not possible to report a bug now without using the Enterprise support...

Regards,

Xantor

Tags (3)
0 Karma
Highlighted

Re: False group by time (microseconds range!)

SplunkTrust
SplunkTrust

Couple of points in your question, so let's go through them one by one.

  • You can submit bug reports without having Enterprise Support. Go to splunk.com -> Support -> Support Portal, that should be open for everyone.
  • You did manage to upload the picture directly here? I can see it.

As for your query, please run this:

sourcetype=blablabla| stats min(UTC) max(UTC) count by _time | eval time = strftime(_time, "%+")

Splunk formats the _time field in tables with second precision by default, I'm predicting that each row will have a different millisecond value... probably 0 for the count=18 one, and 332, 513, 659 for the other rows.

Maybe there's a problem with the timestamp recognition for some events? Do post the anonymized events that fall within that second along with the recognized _time value and the props.conf settings for that sourcetype.

0 Karma
Highlighted

Re: False group by time (microseconds range!)

Path Finder

Hello Martin,

thanks. that type of support worked. when I tried to report a bug directly from splunk I just got the message, that the support portal is offline and I can use the enterprise support.

Yes you can view the picture, because it was hosted external on an other website. Otherwise it wasn't possible, but I reported it now.

I'll try to run the query as soon as I get home.

0 Karma