Splunk Search

How to enable "Verbose mode" as default in advanced XML or change search query to return proper values?

rmcfarla
Explorer

First off I am running Splunk version 6.1

My input data is I have a total device count that is updated daily. I am trying to show a week by week growth so I only need to get one of the values each week and then take the difference between the weeks and show it as a column report. Easy so far.

here is what a single days input looks like, I have one of these per day:

src_host=op2-prd1-db02.cisco.com,src_date="2014-10-2910:04:01.753828+00",total_found_devices="386775"

When I run the following query: index=caabistats | bucket span=1w _time | stats values(total_found_devices), first(total_found_devices), last(total_found_devices), latest(total_found_devices) by _time

I can see the 7 daily values and using the first, last and latest functions it shows the values from the bucket. When looking at the Statistics tab everything looks good on the first page of results, but starting on the second page the first, last and latest start choosing random items in the bucket but not every bucket has the problem but the majority of them do. The first and latest values are always the same.

_time values(total_found_devices), first(total_found_devices), last(total_found_devices), latest(total_found_devices)
2014-01-09 00:00:00 (131962, 132797, 133449, 133568, 133816, 134410, 135207), 131962, 135207, 131962 <== flipped and wrong
2014-01-16 00:00:00 (135899, 136467, 137101, 137213, 137452, 138252, 138693), 135899, 136467, 135899 <== wrong
2014-01-23 00:00:00 (139462, 140161, 140725, 140785, 141134, 141835, 142498), 139462, 141835, 139462 <== wrong
2014-01-30 00:00:00 (143186, 144187, 144664, 144736, 145134, 145756, 146632), 146632, 143186, 146632 <== correct
2014-02-06 00:00:00 (147261, 147985, 148254, 148378, 148570, 149165, 149898), 149165, 149898, 149165 <== wrong
2014-02-13 00:00:00 (150861, 151604, 152031, 152056, 152096, 152912, 153667), 151604, 152031, 151604 <== wrong
2014-02-20 00:00:00 (154337, 154947, 155274, 155382, 155897, 156945, 157778), 155897, 156945, 155897 <== wrong
2014-02-27 00:00:00 (158404, 159490, 160044, 160173, 160551, 161360, 161935), 161935, 158404, 161935 <== correct
2014-03-06 00:00:00 (162515, 163503, 164114, 164253, 164483, 165410, 166101), 166101, 162515, 166101 <== correct
2014-03-13 00:00:00 (166989, 167793, 168539, 168844, 169163, 170180, 171480), 166989, 171480, 166989 <== flipped and wrong

Now this only happens when I am in the fast or smart modes. If I change the mode to verbose then the values are always correct. Looking around I cannot see a way to make the verbose method the default in my advanced XML. Seems like the first, last functions are not correct unless I am in verbose mode.

I have also tied to change the query around like this with the exact same results

index=caabistats |timechart span="1w" last(total_found_devices) as dev_count
| delta dev_count as dev_diff
| timechart span="1w" values(dev_diff) as "Total Devices"

Any help or tips would be appreciated

Rowan

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The first and last functions depend on the order of results returned by the search, which is not reliable in every situation. Replacing last with latest should do the trick for your timechart search.

0 Karma

rmcfarla
Explorer

Thanks Martin but if you look at my query I was already listing or trying the latest and it did not fix the problem.

It sure looks like in this grouping that the last, first and latest functions are not working correctly. Here is how I fixed my problem and made the selection work correctly within the groups.

index=caabistats
| bucket span=1w _time
| eval val1=replace( strptime(src_date, "%Y-%m-%d") + "," + tostring(total_found_devices), "Null", "0" )
| stats min(val1) as val1 by _time
| rex field=val1 "\d+,(?\d+)
| stats values(dev_count) as dev_count by _time
| delta dev_count as dev_diff
| timechart span="1w" values(dev_diff) as "Total Devices"

Rowan

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...