Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

In Splunk versions after 6.4.3, chart using span=log no longer works. Is there a workaround?

rdominy
Engager
‎10-18-2016 09:28 AM

I was successfully using the following query with Splunk 6.4.3:

index="pixelscoredata"| chart count by imps_budget bins=10 span=log

But as of 6.4.4 and 6.5.0 it now throws the following error: 

"Error in 'chart' command: The value for option span is invalid: 'log'. "

This still works fine if using timechart instead of chart. I've tried a number of variations such as specifying the coefficient and base without success. The documentation shows it still being supported.

Is this a known bug? Any workarounds?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rdominy
Engager
‎10-21-2016 10:20 AM

We found the problem. We had a file import with source type set to automatic and it ended up creating over 80K rows of new types and was severely slowing down the system. That appears to have been causing some under-the-covers timeout in searches on other indexes because as soon as we cleaned that up, span=log began working.

TL;DR If features stop working (even coincidently after a software upgrade), check your imports and source types and avoid "automatic" source types.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rdominy
Engager
‎10-21-2016 10:20 AM

We found the problem. We had a file import with source type set to automatic and it ended up creating over 80K rows of new types and was severely slowing down the system. That appears to have been causing some under-the-covers timeout in searches on other indexes because as soon as we cleaned that up, span=log began working.

TL;DR If features stop working (even coincidently after a software upgrade), check your imports and source types and avoid "automatic" source types.

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-18-2016 10:16 AM

I shortened the timeframe and got it to work, but when I'm looking for a longer period of time, it works for a few seconds and errors out.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...