Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart and Chart display buggy column "count" when using "limit=0"

Paolo_Prigione
Builder
‎07-14-2010 08:01 AM

I've noticed that on Splunk 4.1.3 the timechart and chart commands, when used with "limit=0", the "count" aggregation and split-by-clause, will add a "count" column to the results.

... | chart count limit=0 over _time by host
... | timechart limit=0 count by host

The results table will show something like:

_time host1 host2 count host3 ....

That fake, all-zeros, data series will display in reports and clicking on it would drilldown to a search filtered with host=count (in this example).

This happens even if using count(_raw), but does not happen with other stats, such as "max".

Splunk is 4.1.3 on a 64bit Linux box

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎07-15-2010 08:44 PM

I can confirm that this is a bug. Use the fields workaround for now 

<your search> | timechart limit=0 count by host | fields - count

We discovered the bug ourselves a few weeks ago and hopefully it'll be fixed before too long.

(its filed as SPL-32241 for splunkers following along)

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎07-15-2010 08:44 PM

I can confirm that this is a bug. Use the fields workaround for now 

<your search> | timechart limit=0 count by host | fields - count

We discovered the bug ourselves a few weeks ago and hopefully it'll be fixed before too long.

(its filed as SPL-32241 for splunkers following along)

Reply
Solved! Jump to solution

Paolo_Prigione
Builder
‎07-14-2010 08:02 AM

A workaround would be to pipe it all through the "fields" command

... | timechart limit=0 count by host | fields - count

to remove the erroneous column

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...