Splunk Search

Timechart with latest() doesn't display results when used on its own

echalex
Builder

Hi,

I'm trying to follow the disk usage as gather by the NIX app. I think the most appropriate timechart function would be latest() since neither max() nor min() are quite what I need. However, I've noticed the weirdness that latest() doesn't display any values in the visualisation *when used on its own. BUT, if I also include max(), then both values will be shown.

Works (draws graphs for both values):

index=os host=foo OR host=bar sourcetype=df|eval hostmount=host+":"+MountedOn | timechart span=1h max(UsePct), latest(UsePct)  by hostmount

Doesn't work (no graph is drawn):

index=os host=foo OR host=bar sourcetype=df|eval hostmount=host+":"+MountedOn | timechart span=1h latest(UsePct)  by hostmount

I've noticed that it also works if I use latest() in combination with any other statistical function, such as median(), avg(), min(), etc. But it just doesn't work on its own. I'm using Splunk 6.2.4. Is this a bug or just something I'm not getting?

0 Karma
1 Solution

maciep
Champion

I just tried on 6.3.4 and it seems to be the same. If I had to guess, I'd say the problem is that latest doesn't work on numbers exclusively. Which is nice, because you may want to get the latest value of any field, strings included.

So with that in mind, using latest leaves the "%" on that field and maybe the timechart doesn't know what to do with it. Where it's possible that the other stats functions (max, avg, median, etc) are converting it to a number to actually perform the statistical function? And maybe if they're already doing it, then it gets done for latest too when it's included in the list?

I did notice that if I run this eval before the timechart, it seems to work with latest() on its own

eval UsePct = trim(UsePct,"%")

Not sure if there is a more "inherent" way of telling the timechart to just convert it to a number itself...

View solution in original post

maciep
Champion

I just tried on 6.3.4 and it seems to be the same. If I had to guess, I'd say the problem is that latest doesn't work on numbers exclusively. Which is nice, because you may want to get the latest value of any field, strings included.

So with that in mind, using latest leaves the "%" on that field and maybe the timechart doesn't know what to do with it. Where it's possible that the other stats functions (max, avg, median, etc) are converting it to a number to actually perform the statistical function? And maybe if they're already doing it, then it gets done for latest too when it's included in the list?

I did notice that if I run this eval before the timechart, it seems to work with latest() on its own

eval UsePct = trim(UsePct,"%")

Not sure if there is a more "inherent" way of telling the timechart to just convert it to a number itself...

echalex
Builder

Aha! Yes, you're definitely on the right track. I didn't consider that UsePct actually is a string with a %-sign at the end. When I check under the statistics-tab, I can see that latest(UsePct) on its own shows the values with a %-sign. If I also include max(UsePct), the sign is dropped from both values. Odd behaviour, perhaps, but whether it's a bug might be debatable.
Your solutions is probably the simplest. Thanks!

0 Karma

echalex
Builder

Had to check. tonumber() won't work without trim(), so your solution seems the best.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...