Splunk Search

Why are we having an appendcols issue?

simon1524
Explorer

There is something wrong with the data output by using apendcols. The data of Total_Actual is blank from 02-2022. But actually there has data all of months. May I know what's the reason..?

index=sourceA

PRIORITY="High" OR
PRIORITY="Medium" OR
PRIORITY="Low"
WAS_CRITICAL="yes"
| eval _time=strptime(FIRST_SOLVED_DATE,"%Y-%m-%d %H:%M:%S.%N")
| timechart span=1mon count as Total

| appendcols [search index=sourceA

PRIORITY="Critical"
| eval _time=strptime(FIRST_SOLVED_DATE,"%Y-%m-%d %H:%M:%S.%N")
| timechart span=1mon count as Total_Actual]
| eval Rate_%=round((Total_Actual/Total)*100, 2)
| table _time, Total, Total_Actual, Rate_%
| tail 12
| sort _time

OUTPUT

_time Total Total_Actual Rate_%
2021-07-01T00:00:00.000+0200 76 64 84.21
2021-08-01T00:00:00.000+0200 74 51 68.92
2021-09-01T00:00:00.000+0200 81 45 55.56
2021-10-01T00:00:00.000+0200 75 71 94.67
2021-11-01T00:00:00.000+0200 118 58 49.15
2021-12-01T00:00:00.000+0200 101 105 103.96
2022-01-01T00:00:00.000+0200 81 86 106.17
2022-02-01T00:00:00.000+0200 95    
2022-03-01T00:00:00.000+0200 85    
2022-04-01T00:00:00.000+0200 96    
2022-05-01T00:00:00.000+0200 106    
2022-06-01T00:00:00.000+0200 141    
Labels (1)
Tags (1)
0 Karma
1 Solution

VatsalJagani
Champion

@simon1524 - Try this query instead:

index=sourceA
| eval _time=strptime(FIRST_SOLVED_DATE,"%Y-%m-%d %H:%M:%S.%N")

| timechart span=1mon count(eval((PRIORITY="High" OR PRIORITY="Medium" OR PRIORITY="Low") AND WAS_CRITICAL="yes")) as Total, count(eval(PRIORITY="Critical")) as Total_Actual

| eval Rate_%=round((Total_Actual/Total)*100, 2)
| table _time, Total, Total_Actual, Rate_%
| tail 12
| sort _time

Single timechart command without appendpipe should give you the results.

This query is much more robust and performance effective.

 

I hope this helps!!! Karma/upvote would be appreciated!!!

View solution in original post

VatsalJagani
Champion

@simon1524 - Try this query instead:

index=sourceA
| eval _time=strptime(FIRST_SOLVED_DATE,"%Y-%m-%d %H:%M:%S.%N")

| timechart span=1mon count(eval((PRIORITY="High" OR PRIORITY="Medium" OR PRIORITY="Low") AND WAS_CRITICAL="yes")) as Total, count(eval(PRIORITY="Critical")) as Total_Actual

| eval Rate_%=round((Total_Actual/Total)*100, 2)
| table _time, Total, Total_Actual, Rate_%
| tail 12
| sort _time

Single timechart command without appendpipe should give you the results.

This query is much more robust and performance effective.

 

I hope this helps!!! Karma/upvote would be appreciated!!!

simon1524
Explorer

With your query the data shows correctly.

Thank you very much!!

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...