I am new to splunk and I do not understand why this is giving me the same result.
There are 3 different site_names I am looking to to get the max latency out of all three.
Then when a user chooses a filter just to get the max for what they chose
index=fultonrssi sourcetype=FultonRSSI test_type_code=PING site_name="Bear Creek MS" closet_id="*" host=*| timechart max(latency) as "Max Latency"
index=fultonrssi sourcetype=FultonRSSI test_type_code=PING site_name="Banneker HS" closet_id="*" host=*| timechart max(latency) as "Max Latency"
This is the result for both
_time Max Latency
2019-10-01 14:30:00 2055.8
I looked at the raw data and they are definitely different
thanks
if you do a <base search>|stats count by latency|sort 0 - latency
, is the first result the same?
try doing index=fultonrssi sourcetype=FultonRSSI test_type_code=PING closet_id="*" host=*| timechart max(latency) as "Max Latency" by site_name
or
index=fultonrssi sourcetype=FultonRSSI test_type_code=PING closet_id="*" host=*| chart count by latency site_name
to check the differences. Those searches you have look accurate to me, so in my opinion, it looks like those sites have the same max for that time frame. You could try to add span=5min
to the timechart to see if a more narrow span will yield different results, as well.
You cannot timechart a non-number and if your latency
is in duration
format and contains colons, it is not a valid field to use for timechart
. You may only use actual numbers.
if you do a <base search>|stats count by latency|sort 0 - latency
, is the first result the same?
try doing index=fultonrssi sourcetype=FultonRSSI test_type_code=PING closet_id="*" host=*| timechart max(latency) as "Max Latency" by site_name
or
index=fultonrssi sourcetype=FultonRSSI test_type_code=PING closet_id="*" host=*| chart count by latency site_name
to check the differences. Those searches you have look accurate to me, so in my opinion, it looks like those sites have the same max for that time frame. You could try to add span=5min
to the timechart to see if a more narrow span will yield different results, as well.