Splunk Search
Highlighted

Why are there missing days in the results of my "Month to date" chart search?

SplunkTrust
SplunkTrust

I have a search where I want to calculate total transaction volumes over time by transaction type. I'm populating results, but I notice there are some days missing. Here is a screen shot:

 http://screencast.com/t/zNVURLk8Je 

Here is the search I am using:

index=foo sourcetype=bar
| bucket span=1d _time
| dedup id
| stats count as volume, latest(transaction_type ) as transaction_type by djarfrrw, _time
| eval _time=strftime(_time, "%m/%d/%Y")
| chart max(volume) over transaction_type by _time usenull=f useother=f

Is there anything in the search that might be causing the missing days?

Thanks in Advance!

0 Karma
Highlighted

Re: Why are there missing days in the results of my "Month to date" chart search?

SplunkTrust
SplunkTrust

Have you verified there are events on those days?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: Why are there missing days in the results of my "Month to date" chart search?

SplunkTrust
SplunkTrust

yeah...so I removed usenull/other=f and got the daily counts....I guess chart isn't as "smart" as timechart?

0 Karma
Highlighted

Re: Why are there missing days in the results of my "Month to date" chart search?

SplunkTrust
SplunkTrust

So do you still have missing dates OR it's resolved?

0 Karma
Highlighted

Re: Why are there missing days in the results of my "Month to date" chart search?

SplunkTrust
SplunkTrust

I still see the issue...If i run the search in 7 day increments things look ok...when I use Month to Date things are not populating correctly...not quite sure why.

0 Karma
Highlighted

Re: Why are there missing days in the results of my "Month to date" chart search?

Ultra Champion

If the issue is persisting, I would try writing the search another way to leverage the timechart command. If this works out for you, its more of a native approach and less error-prone than extract the date from the time field. Plus it probably performs faster since its less commands:

index=foo sourcetype=bar id=*
 | dedup id
 | timechart span=1d count as volume, latest(transaction_type ) as transaction_type by djarfrrw

View solution in original post

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.