Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Not getting data for all day

twh1
Communicator
‎02-13-2019 02:26 AM

I am running timechart command for sum of free space and used space with span of 1 day. I am missing data for few days. but when I am running the same command on those specific date, I am getting data.

Below command for last 7 days.

base search | timechart span=1d sum(Used_Space_GB) as "Used Space", sum(Free_Space_GB) as "Free Space" 
_time           Used Space           Free Space
2019-02-06       0.03                    0.95
2019-02-07       3744.03             2575.97
2019-02-08      56946.22            122232.70
2019-02-09      0                           0
2019-02-10      0                           0
2019-02-11     19.00                   2330.00
2019-02-12     0                          0
2019-02-13    399369.75      791924.36

but when I am running the same query for 12th Feb 2019. I am getting below result.

base search | timechart span=1d sum(Used_Space_GB) as "Used Space", sum(Free_Space_GB) as "Free Space"
_time                Used Space Free Space
2019-02-12 00:00:00 398641.91   792654.95
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

twh1
Communicator
‎02-19-2019 03:23 AM

I have removed the dedup from host and got the desired output.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

twh1
Communicator
‎02-19-2019 03:23 AM

I have removed the dedup from host and got the desired output.

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-19-2019 03:29 AM

I downvoted this post because your original post doesn't even mention dedup... this solution helps no future people who come across this question

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-13-2019 02:48 AM

I think your query should be using avg instead of sum:

Try this: base search | timechart span=1d avg(Used_Space_GB) as "Used Space", avg(Free_Space_GB) as "Free Space"

This is becuase there are probably a few monitoring points per day

As for why the 12th is different, I am not sure...

Reply
Solved! Jump to solution

twh1
Communicator
‎02-13-2019 03:25 AM

Hi @chrisyoungerjds ,
I want the sum of free space and sum of used space with daily span.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-13-2019 09:17 AM

It is highly unlikely that your logs are giving you delta values. I have never seen any disk usage tool present data in such a way. If you are getting deltas, then sum is correct. However, if the logs are giving you current state, then you should be using avg. Take a good hard look at the logs and the source of them. I am sure that @chrisyoungerjds is correct.

Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-13-2019 03:30 AM

how often are the raw events arriving? are they on a daily basis? is the time the measurement take at midnight - if so, does the exact time drift a little which causes the days to not add up properly?

0 Karma
Reply
Solved! Jump to solution

twh1
Communicator
‎02-13-2019 05:13 AM

data is coming every 10 min.

0 Karma
Reply
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...