Splunk Search

Timechart with latest() doesn't display results when used on its own

echalex
Builder

Hi,

I'm trying to follow the disk usage as gather by the NIX app. I think the most appropriate timechart function would be latest() since neither max() nor min() are quite what I need. However, I've noticed the weirdness that latest() doesn't display any values in the visualisation *when used on its own. BUT, if I also include max(), then both values will be shown.

Works (draws graphs for both values):

index=os host=foo OR host=bar sourcetype=df|eval hostmount=host+":"+MountedOn | timechart span=1h max(UsePct), latest(UsePct)  by hostmount

Doesn't work (no graph is drawn):

index=os host=foo OR host=bar sourcetype=df|eval hostmount=host+":"+MountedOn | timechart span=1h latest(UsePct)  by hostmount

I've noticed that it also works if I use latest() in combination with any other statistical function, such as median(), avg(), min(), etc. But it just doesn't work on its own. I'm using Splunk 6.2.4. Is this a bug or just something I'm not getting?

0 Karma
1 Solution

maciep
Champion

I just tried on 6.3.4 and it seems to be the same. If I had to guess, I'd say the problem is that latest doesn't work on numbers exclusively. Which is nice, because you may want to get the latest value of any field, strings included.

So with that in mind, using latest leaves the "%" on that field and maybe the timechart doesn't know what to do with it. Where it's possible that the other stats functions (max, avg, median, etc) are converting it to a number to actually perform the statistical function? And maybe if they're already doing it, then it gets done for latest too when it's included in the list?

I did notice that if I run this eval before the timechart, it seems to work with latest() on its own

eval UsePct = trim(UsePct,"%")

Not sure if there is a more "inherent" way of telling the timechart to just convert it to a number itself...

View solution in original post

maciep
Champion

I just tried on 6.3.4 and it seems to be the same. If I had to guess, I'd say the problem is that latest doesn't work on numbers exclusively. Which is nice, because you may want to get the latest value of any field, strings included.

So with that in mind, using latest leaves the "%" on that field and maybe the timechart doesn't know what to do with it. Where it's possible that the other stats functions (max, avg, median, etc) are converting it to a number to actually perform the statistical function? And maybe if they're already doing it, then it gets done for latest too when it's included in the list?

I did notice that if I run this eval before the timechart, it seems to work with latest() on its own

eval UsePct = trim(UsePct,"%")

Not sure if there is a more "inherent" way of telling the timechart to just convert it to a number itself...

echalex
Builder

Aha! Yes, you're definitely on the right track. I didn't consider that UsePct actually is a string with a %-sign at the end. When I check under the statistics-tab, I can see that latest(UsePct) on its own shows the values with a %-sign. If I also include max(UsePct), the sign is dropped from both values. Odd behaviour, perhaps, but whether it's a bug might be debatable.
Your solutions is probably the simplest. Thanks!

0 Karma

echalex
Builder

Had to check. tonumber() won't work without trim(), so your solution seems the best.

0 Karma
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...