Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Timechart after sort display

Hod152
Explorer
‎07-16-2024 05:17 AM

Hey,
Iv'e noticed some wierd behviour that is making me suspect the relaibility of my queries so I'm really looking for an explanation, I was making some searches and displaying them on a timechart, for some reason the timechart looks completly different when I sort the fields befor.

this is the basic search and it's results:

 

 

|tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| timechart sum(count) span=1h

 

 

Hod152_2-1721131756532.png


After sorting clientIp field this is how the graph looks like:

 

 

|tstats count WHERE case=test  responseCode=200 requestStatus!=legal by clientIp _time span=1h| sort -clientIp |timechart sum(count) span=1h

 

 

Hod152_1-1721131709287.png

 

 

|tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| sort +clientIp |timechart sum(count) span=1h

 

 

Hod152_3-1721132009680.png

Note that the count is decreased on the sorted search.

 

 


What can explain that behaviour? Which chart should I relay on? Is that a feature of sorting?

Thanks

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-16-2024 06:03 AM

sort truncates at 10k values - try something like this

| sort 0 -clientip

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-16-2024 06:03 AM

sort truncates at 10k values - try something like this

| sort 0 -clientip
Reply
Solved! Jump to solution

Hod152
Explorer
‎07-17-2024 04:00 AM

Thanks!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-16-2024 05:42 AM

Hi @Hod152,

why you did this?

if you have tstats BY _time, you already have the timechart:

 

| tstats 
     count 
     WHERE case=test  responseCode=200 requestStatus!=legal 
     BY clientIp _time span=1h

 

Anyway, it's always better to indicate the indexes to use in the search, to have more performant searces  and avoid default search path issues.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Hod152
Explorer
‎07-17-2024 03:32 AM

It just suited my work sequence...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...