Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart after sort display

Hod152
Explorer
‎07-16-2024 05:17 AM

Hey,
Iv'e noticed some wierd behviour that is making me suspect the relaibility of my queries so I'm really looking for an explanation, I was making some searches and displaying them on a timechart, for some reason the timechart looks completly different when I sort the fields befor.

this is the basic search and it's results:

 

 

|tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| timechart sum(count) span=1h

 

 

Hod152_2-1721131756532.png


After sorting clientIp field this is how the graph looks like:

 

 

|tstats count WHERE case=test  responseCode=200 requestStatus!=legal by clientIp _time span=1h| sort -clientIp |timechart sum(count) span=1h

 

 

Hod152_1-1721131709287.png

 

 

|tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| sort +clientIp |timechart sum(count) span=1h

 

 

Hod152_3-1721132009680.png

Note that the count is decreased on the sorted search.

 

 


What can explain that behaviour? Which chart should I relay on? Is that a feature of sorting?

Thanks

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-16-2024 06:03 AM

sort truncates at 10k values - try something like this

| sort 0 -clientip

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-16-2024 06:03 AM

sort truncates at 10k values - try something like this

| sort 0 -clientip
Reply
Solved! Jump to solution

Hod152
Explorer
‎07-17-2024 04:00 AM

Thanks!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-16-2024 05:42 AM

Hi @Hod152,

why you did this?

if you have tstats BY _time, you already have the timechart:

 

| tstats 
     count 
     WHERE case=test  responseCode=200 requestStatus!=legal 
     BY clientIp _time span=1h

 

Anyway, it's always better to indicate the indexes to use in the search, to have more performant searces  and avoid default search path issues.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Hod152
Explorer
‎07-17-2024 03:32 AM

It just suited my work sequence...

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...