Splunk Search

How to enable "Verbose mode" as default in advanced XML or change search query to return proper values?

rmcfarla
Explorer

First off I am running Splunk version 6.1

My input data is I have a total device count that is updated daily. I am trying to show a week by week growth so I only need to get one of the values each week and then take the difference between the weeks and show it as a column report. Easy so far.

here is what a single days input looks like, I have one of these per day:

src_host=op2-prd1-db02.cisco.com,src_date="2014-10-2910:04:01.753828+00",total_found_devices="386775"

When I run the following query: index=caabistats | bucket span=1w _time | stats values(total_found_devices), first(total_found_devices), last(total_found_devices), latest(total_found_devices) by _time

I can see the 7 daily values and using the first, last and latest functions it shows the values from the bucket. When looking at the Statistics tab everything looks good on the first page of results, but starting on the second page the first, last and latest start choosing random items in the bucket but not every bucket has the problem but the majority of them do. The first and latest values are always the same.

_time values(total_found_devices), first(total_found_devices), last(total_found_devices), latest(total_found_devices)
2014-01-09 00:00:00 (131962, 132797, 133449, 133568, 133816, 134410, 135207), 131962, 135207, 131962 <== flipped and wrong
2014-01-16 00:00:00 (135899, 136467, 137101, 137213, 137452, 138252, 138693), 135899, 136467, 135899 <== wrong
2014-01-23 00:00:00 (139462, 140161, 140725, 140785, 141134, 141835, 142498), 139462, 141835, 139462 <== wrong
2014-01-30 00:00:00 (143186, 144187, 144664, 144736, 145134, 145756, 146632), 146632, 143186, 146632 <== correct
2014-02-06 00:00:00 (147261, 147985, 148254, 148378, 148570, 149165, 149898), 149165, 149898, 149165 <== wrong
2014-02-13 00:00:00 (150861, 151604, 152031, 152056, 152096, 152912, 153667), 151604, 152031, 151604 <== wrong
2014-02-20 00:00:00 (154337, 154947, 155274, 155382, 155897, 156945, 157778), 155897, 156945, 155897 <== wrong
2014-02-27 00:00:00 (158404, 159490, 160044, 160173, 160551, 161360, 161935), 161935, 158404, 161935 <== correct
2014-03-06 00:00:00 (162515, 163503, 164114, 164253, 164483, 165410, 166101), 166101, 162515, 166101 <== correct
2014-03-13 00:00:00 (166989, 167793, 168539, 168844, 169163, 170180, 171480), 166989, 171480, 166989 <== flipped and wrong

Now this only happens when I am in the fast or smart modes. If I change the mode to verbose then the values are always correct. Looking around I cannot see a way to make the verbose method the default in my advanced XML. Seems like the first, last functions are not correct unless I am in verbose mode.

I have also tied to change the query around like this with the exact same results

index=caabistats |timechart span="1w" last(total_found_devices) as dev_count
| delta dev_count as dev_diff
| timechart span="1w" values(dev_diff) as "Total Devices"

Any help or tips would be appreciated

Rowan

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The first and last functions depend on the order of results returned by the search, which is not reliable in every situation. Replacing last with latest should do the trick for your timechart search.

0 Karma

rmcfarla
Explorer

Thanks Martin but if you look at my query I was already listing or trying the latest and it did not fix the problem.

It sure looks like in this grouping that the last, first and latest functions are not working correctly. Here is how I fixed my problem and made the selection work correctly within the groups.

index=caabistats
| bucket span=1w _time
| eval val1=replace( strptime(src_date, "%Y-%m-%d") + "," + tostring(total_found_devices), "Null", "0" )
| stats min(val1) as val1 by _time
| rex field=val1 "\d+,(?\d+)
| stats values(dev_count) as dev_count by _time
| delta dev_count as dev_diff
| timechart span="1w" values(dev_diff) as "Total Devices"

Rowan

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...