Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Timechart with latest() doesn't display results when used on its own

echalex
Builder
‎08-15-2016 01:29 AM

Hi,

I'm trying to follow the disk usage as gather by the NIX app. I think the most appropriate timechart function would be latest() since neither max() nor min() are quite what I need. However, I've noticed the weirdness that latest() doesn't display any values in the visualisation *when used on its own. BUT, if I also include max(), then both values will be shown.

Works (draws graphs for both values):

index=os host=foo OR host=bar sourcetype=df|eval hostmount=host+":"+MountedOn | timechart span=1h max(UsePct), latest(UsePct)  by hostmount

Doesn't work (no graph is drawn):

index=os host=foo OR host=bar sourcetype=df|eval hostmount=host+":"+MountedOn | timechart span=1h latest(UsePct)  by hostmount

I've noticed that it also works if I use latest() in combination with any other statistical function, such as median(), avg(), min(), etc. But it just doesn't work on its own. I'm using Splunk 6.2.4. Is this a bug or just something I'm not getting?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

maciep
Champion
‎08-15-2016 05:55 PM

I just tried on 6.3.4 and it seems to be the same. If I had to guess, I'd say the problem is that latest doesn't work on numbers exclusively. Which is nice, because you may want to get the latest value of any field, strings included.

So with that in mind, using latest leaves the "%" on that field and maybe the timechart doesn't know what to do with it. Where it's possible that the other stats functions (max, avg, median, etc) are converting it to a number to actually perform the statistical function? And maybe if they're already doing it, then it gets done for latest too when it's included in the list?

I did notice that if I run this eval before the timechart, it seems to work with latest() on its own

eval UsePct = trim(UsePct,"%")

Not sure if there is a more "inherent" way of telling the timechart to just convert it to a number itself...

View solution in original post

Reply
Solved! Jump to solution
Solution

maciep
Champion
‎08-15-2016 05:55 PM

I just tried on 6.3.4 and it seems to be the same. If I had to guess, I'd say the problem is that latest doesn't work on numbers exclusively. Which is nice, because you may want to get the latest value of any field, strings included.

So with that in mind, using latest leaves the "%" on that field and maybe the timechart doesn't know what to do with it. Where it's possible that the other stats functions (max, avg, median, etc) are converting it to a number to actually perform the statistical function? And maybe if they're already doing it, then it gets done for latest too when it's included in the list?

I did notice that if I run this eval before the timechart, it seems to work with latest() on its own

eval UsePct = trim(UsePct,"%")

Not sure if there is a more "inherent" way of telling the timechart to just convert it to a number itself...

Reply
Solved! Jump to solution

echalex
Builder
‎08-16-2016 12:45 AM

Aha! Yes, you're definitely on the right track. I didn't consider that UsePct actually is a string with a %-sign at the end. When I check under the statistics-tab, I can see that latest(UsePct) on its own shows the values with a %-sign. If I also include max(UsePct), the sign is dropped from both values. Odd behaviour, perhaps, but whether it's a bug might be debatable.
Your solutions is probably the simplest. Thanks!

0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎08-16-2016 12:56 AM

Had to check. tonumber() won't work without trim(), so your solution seems the best.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...