Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart removes 0 values when searching for over 2 days

EG1
Engager
‎04-07-2024 05:48 AM

Hi,

I have this search for example:

index=test elb_status_code=200  | timechart count as total span=1s | stats count as num_seconds by total | sort by total

When I search this for 1,2 days - my result includes total of 0,1,2,3 etc.. when i go above, 3 days for example - I loose all the data about the 0 value and my results start with 1,2,3 etc.. 

Anyone could explain this? am I doing something wrong or could this be a bug somewhere? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-08-2024 02:10 AM

Timechart will be filling in the empty time slots with zeroes. Given that you have an error, I suspect that this part of the process hasn't been reached before the error, which is why these are missing from your final result.

View solution in original post

Reply
Solved! Jump to solution

marnall
Builder
‎04-07-2024 08:47 AM

I have a feeling that Splunk is automatically capping the number of rows when you use | timechart span=1s (this could result in 86400 rows per day), which would explain why your search works fine with 1-2 days but not with more than three.

Maybe you could try binning the _time to a 1s value and then doing stats on it.

index=test elb_status_code=200  
| bin _time span=1s
| stats count as total by _time
| stats count as num_seconds by total
| sort 0 total

I am also curious how you got it to show values for total of 0. The count() function does not do that by default.

0 Karma
Reply
Solved! Jump to solution

EG1
Engager
‎04-07-2024 11:49 PM

Thanks, I've tried that but still didn't get the "null" values.

I do get an error which says - "The specified span would result in too many (>175000) rows."

I get this error a lot during this search but i don't understand why would the null values only be missing?

Additionally - does this error necessarily mean that search has failed or stopped at the limit?

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-08-2024 02:10 AM

Timechart will be filling in the empty time slots with zeroes. Given that you have an error, I suspect that this part of the process hasn't been reached before the error, which is why these are missing from your final result.

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-07-2024 06:58 AM

Not sure if this will help but you could try 

| sort 0 total
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...