Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Not getting data for all day

twh1
Communicator
‎02-13-2019 02:26 AM

I am running timechart command for sum of free space and used space with span of 1 day. I am missing data for few days. but when I am running the same command on those specific date, I am getting data.

Below command for last 7 days.

base search | timechart span=1d sum(Used_Space_GB) as "Used Space", sum(Free_Space_GB) as "Free Space" 
_time           Used Space           Free Space
2019-02-06       0.03                    0.95
2019-02-07       3744.03             2575.97
2019-02-08      56946.22            122232.70
2019-02-09      0                           0
2019-02-10      0                           0
2019-02-11     19.00                   2330.00
2019-02-12     0                          0
2019-02-13    399369.75      791924.36

but when I am running the same query for 12th Feb 2019. I am getting below result.

base search | timechart span=1d sum(Used_Space_GB) as "Used Space", sum(Free_Space_GB) as "Free Space"
_time                Used Space Free Space
2019-02-12 00:00:00 398641.91   792654.95
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

twh1
Communicator
‎02-19-2019 03:23 AM

I have removed the dedup from host and got the desired output.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

twh1
Communicator
‎02-19-2019 03:23 AM

I have removed the dedup from host and got the desired output.

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-19-2019 03:29 AM

I downvoted this post because your original post doesn't even mention dedup... this solution helps no future people who come across this question

0 Karma
Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-13-2019 02:48 AM

I think your query should be using avg instead of sum:

Try this: base search | timechart span=1d avg(Used_Space_GB) as "Used Space", avg(Free_Space_GB) as "Free Space"

This is becuase there are probably a few monitoring points per day

As for why the 12th is different, I am not sure...

Reply
Solved! Jump to solution

twh1
Communicator
‎02-13-2019 03:25 AM

Hi @chrisyoungerjds ,
I want the sum of free space and sum of used space with daily span.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-13-2019 09:17 AM

It is highly unlikely that your logs are giving you delta values. I have never seen any disk usage tool present data in such a way. If you are getting deltas, then sum is correct. However, if the logs are giving you current state, then you should be using avg. Take a good hard look at the logs and the source of them. I am sure that @chrisyoungerjds is correct.

Reply
Solved! Jump to solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-13-2019 03:30 AM

how often are the raw events arriving? are they on a daily basis? is the time the measurement take at midnight - if so, does the exact time drift a little which causes the days to not add up properly?

0 Karma
Reply
Solved! Jump to solution

twh1
Communicator
‎02-13-2019 05:13 AM

data is coming every 10 min.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...