Splunk Search
Highlighted

Why am I getting unexpected results with my timechart search?

Explorer

I have the following data in my index

_time                          PUID             TotalMinutes    TotalDisconnectedMinutes
2016-04-17T00:04:21.000+0000    1003BFFD885D8FB1    853             36
2016-04-18T01:03:23.000+0000    1003BFFD885D8FB1    339             0
2016-04-19T02:04:26.000+0000    1003BFFD885D8FB1    298             0
2016-04-19T04:41:25.000+0000    1003BFFD885D8FB1    14              0
2016-04-20T00:17:48.000+0000    1003BFFD885D8FB1    188             0
2016-04-21T04:09:02.000+0000    1003BFFD885D8FB1    1013            6
2016-04-22T02:37:20.000+0000    1003BFFD885D8FB1    257             2

However, when use the timechart command, the result is not what I expect it to be.

The search I ran:

index=tenanthealthmonitor (host=mapi_outlookAvailabilityPerPuid OR host=rpc_outlookAvailabilitPerPuid) tenant_guid=482198bb-ae7b-4b25-8b7a-6d7f32faa083  PUID=100300008479DB02 | timechart  span=1d sum(TotalMinutes) as Total_Minutes, sum(TotalDisconnectedMinutes) as TotalDisconnected_Minutes usenull=f

The result is:

_time                          Total_Minutes    TotalDisconnected_Minutes
2016-04-17T00:00:00.000+0000              989                          34
2016-04-18T00:00:00.000+0000             1855                          25
2016-04-19T00:00:00.000+0000             2232                          72
2016-04-20T00:00:00.000+0000             1908                          94
2016-04-21T00:00:00.000+0000             2014                          72
2016-04-22T00:00:00.000+0000              643                          17

How does timechart work?

Highlighted

Re: Why am I getting unexpected results with my timechart search?

Esteemed Legend

You told it to use spans of 1d so it first calls bucket _time span=1d which rounds all _time values for date:hour to 00:00 , then it does the stats stuff. How else would you expect it to work?

If you do not think the sums are correct, what is probably happening is that what is considered today (in o ther words, what UTC/GMT offset value do you consider midnight?) is user-specific and determined by YOUR Timezone value in YOUR user settings on that Search Head. So if you have a different value than another user, you will probably get different results.

0 Karma
Highlighted

Re: Why am I getting unexpected results with my timechart search?

Explorer

Thank you knielsen and woodcock. My bad.

0 Karma
Highlighted

Re: Why am I getting unexpected results with my timechart search?

Contributor

You're querying a different dataset than you list here (PUID=1003BFFD885D8FB1 vs PUID=100300008479DB02) , so the timechart output could actually be correct.

View solution in original post

Highlighted

Re: Why am I getting unexpected results with my timechart search?

Champion

In addition to what others have stated, specifying span=1d translates to a timerange of "midnight to midnight". I see the timechart is correct based on this.

0 Karma
Highlighted

Re: Why am I getting unexpected results with my timechart search?

Explorer

Try with stats command

  • | stats sum(TotalMinutes) as TotalMinutes, sum(TotalDisconnectedMinutes) as TotalDisconnectedMinutes by date_mday

this will work better

you can put the day and month in the same field, like
eval currentdate= datemonth +"/"+ date_mday