Splunk Search

Why am I getting different results based on the time modifiers used to control the dates within a search?

HattrickNZ
Motivator

Has anyone had any experience, getting different results depending on the date modifiers used to control the dates?

I have a basic search that seems to give different results depending on the date selectors I use.
I want to be able to control the date within the search because I am trying to join different searches together, but when I use it, I get different results as I show below:

I expect 2 and 3 to be the right answer.

no - day & value - time modifier in search - time range selected from the drop-down - no of events for the 7th Feb

1 - 7 feb 2016 27410.63 - no time modifier in the search - all time selected in the presets drop-down time selector - ?? events
1A - 7 feb 2016 32304.73 - no time modifier in the search - Last 30 Days selected in the presets dropdown time selector - 192 events
2 - 7 feb 2016 16152.36 - no time modifier in the search - Date-range from the drop-down time selector between 01/02/2016 and 29/02/2016 selected - 96 events
3 - 7 feb 2016 16152.36 - no time modifier in the search - Date-range from the drop-down time selector between 07/02/2016 and 07/02/2016 selected - 96 events
4 - 7 feb 2016 32304.73 - earliest=-30d in the search - all time selected in the presets drop-down time selector - 192 events
5 - 7 feb 2016 32304.73 - starttime= 01/01/2016:00:00:00 in the search - all time selected in the presets dropdown time selector - 192 events

But I am not sure why I am getting the others?

For instance 16152.36 is the answer I would expect for 7 feb and this can be achieved using 2 & 3 above (using the Date-range from the drop-down time selector)
but I get double the answer 32304.73 when I include a date modifier in the search(which is what I want to be able to do). (Also this happens for a 2 week period, and other periods are okay.
And within this 2 week period it is not always double)
Also, with no 1 search above, i get a different answer altogether (27410.63 all time selected in the presets drop-down time selector)

So basically is the data stored doubled in places? If so why does it not appear when I use the drop-down time selector?

Really appreciate any help/pointers.

The above table can be explained as follows:
no - the search no.
day & value - the value of the chosen field for a specific date
time modifier in search - the time modifier I want to use to control in the search e.g. earliest=-30d , starttime= 01/01/2016:00:00:00
time range selected from the dropdown - the time range selected using the dropdown date picker in the top right of the search bar
no of events for the 7th Feb - this is the number of events seen on the 7th feb

My search looks like this (when I want to control the dates searched I use earliest=-30d , starttime= 01/01/2016:00:00:00
and place it after duration=PT3600S and befor the | pipe):

index=core host="snzclakl598" elementType=UGW measObjLdn=*"/UGW Function:"* measInfoId=134221229 OR measInfoId=138412032 duration=PT3600S | 
eval c138412090_KB_MB=c138412090/1000 | 
eval c138412094_KB_MB=c138412094/1000 | 
timechart  span=d 
sum(c134686691) AS "Gi downlink traffic in MB" 
sum(c134686689) AS "Gi uplink traffic in MB" 
sum(c138412090_KB_MB) AS "SGi downlink user traffic in MB" 
sum(c138412094_KB_MB) AS "SGi uplink user traffic in MB" | 
addtotals fieldname=GiTotalAmount_MB Gi* | 
addtotals fieldname=SGiTotalAmount_MB SGi* | 
eval GiTotalAmount_GB=GiTotalAmount_MB*1000000/1024/1024/1024 | 
eval SGiTotalAmount_GB=SGiTotalAmount_MB*1000000/1024/1024/1024 | 
fields + _time SGiTotalAmount_GB GiTotalAmount_GB
0 Karma

maciep
Champion

I'm only guessing, but I wonder if it has to do with the snap-to value. Do you get different results if you run the -30d searches at different times of the day? What if you were to use -30d@d instead to snap to the day.

Not sure if the timechart documentation will be helpful here, but lots of info about the various span/bucket options
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/timechart

0 Karma

HattrickNZ
Motivator

tks, but in theory that would only affect the snap to days in question, the days in between should be un affected. just strange behaviour, not sure what is going on!

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...