Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Not getting data for all day

twh1
Communicator
‎02-13-2019 02:26 AM

I am running timechart command for sum of free space and used space with span of 1 day. I am missing data for few days. but when I am running the same command on those specific date, I am getting data.

Below command for last 7 days.

base search | timechart span=1d sum(Used_Space_GB) as "Used Space", sum(Free_Space_GB) as "Free Space" 
_time           Used Space           Free Space
2019-02-06       0.03                    0.95
2019-02-07       3744.03             2575.97
2019-02-08      56946.22            122232.70
2019-02-09      0                           0
2019-02-10      0                           0
2019-02-11     19.00                   2330.00
2019-02-12     0                          0
2019-02-13    399369.75      791924.36

but when I am running the same query for 12th Feb 2019. I am getting below result.

base search | timechart span=1d sum(Used_Space_GB) as "Used Space", sum(Free_Space_GB) as "Free Space"
_time                Used Space Free Space
2019-02-12 00:00:00 398641.91   792654.95
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

twh1
Communicator
‎02-19-2019 03:23 AM

I have removed the dedup from host and got the desired output.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

twh1
Communicator
‎02-19-2019 03:23 AM

I have removed the dedup from host and got the desired output.

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-19-2019 03:29 AM

I downvoted this post because your original post doesn't even mention dedup... this solution helps no future people who come across this question

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-13-2019 02:48 AM

I think your query should be using avg instead of sum:

Try this: base search | timechart span=1d avg(Used_Space_GB) as "Used Space", avg(Free_Space_GB) as "Free Space"

This is becuase there are probably a few monitoring points per day

As for why the 12th is different, I am not sure...

Reply
Solved! Jump to solution

twh1
Communicator
‎02-13-2019 03:25 AM

Hi @chrisyoungerjds ,
I want the sum of free space and sum of used space with daily span.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-13-2019 09:17 AM

It is highly unlikely that your logs are giving you delta values. I have never seen any disk usage tool present data in such a way. If you are getting deltas, then sum is correct. However, if the logs are giving you current state, then you should be using avg. Take a good hard look at the logs and the source of them. I am sure that @chrisyoungerjds is correct.

Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-13-2019 03:30 AM

how often are the raw events arriving? are they on a daily basis? is the time the measurement take at midnight - if so, does the exact time drift a little which causes the days to not add up properly?

0 Karma
Reply
Solved! Jump to solution

twh1
Communicator
‎02-13-2019 05:13 AM

data is coming every 10 min.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...