Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart after sort display

Hod152
Explorer
‎07-16-2024 05:17 AM

Hey,
Iv'e noticed some wierd behviour that is making me suspect the relaibility of my queries so I'm really looking for an explanation, I was making some searches and displaying them on a timechart, for some reason the timechart looks completly different when I sort the fields befor.

this is the basic search and it's results:

 

 

|tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| timechart sum(count) span=1h

 

 

Hod152_2-1721131756532.png


After sorting clientIp field this is how the graph looks like:

 

 

|tstats count WHERE case=test  responseCode=200 requestStatus!=legal by clientIp _time span=1h| sort -clientIp |timechart sum(count) span=1h

 

 

Hod152_1-1721131709287.png

 

 

|tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| sort +clientIp |timechart sum(count) span=1h

 

 

Hod152_3-1721132009680.png

Note that the count is decreased on the sorted search.

 

 


What can explain that behaviour? Which chart should I relay on? Is that a feature of sorting?

Thanks

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-16-2024 06:03 AM

sort truncates at 10k values - try something like this

| sort 0 -clientip

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-16-2024 06:03 AM

sort truncates at 10k values - try something like this

| sort 0 -clientip
Reply
Solved! Jump to solution

Hod152
Explorer
‎07-17-2024 04:00 AM

Thanks!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-16-2024 05:42 AM

Hi @Hod152,

why you did this?

if you have tstats BY _time, you already have the timechart:

 

| tstats 
     count 
     WHERE case=test  responseCode=200 requestStatus!=legal 
     BY clientIp _time span=1h

 

Anyway, it's always better to indicate the indexes to use in the search, to have more performant searces  and avoid default search path issues.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Hod152
Explorer
‎07-17-2024 03:32 AM

It just suited my work sequence...

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...