Hi
I need to use a post process search for displaying a timechart
Here is my id configuration
<search id="test">
<query>index=tutu sourcetype="ica" $source$ $type$ $domain$ $site$ $ezconf$ | fields ica_latency_last_recorded ica_latency_session_avg idle_sec site host</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
and here is base configuration
<search base="test">
<query>
| search idle_sec < 300
| timechart span=1d avg(ica_latency_session_avg) as "Latence moyenne de la session (ms)"</query>
</search>
as you can see my timechart is on the last 7 days
but any values are retuned
what is wrong please?
hi
I have any results with a post search
if i execute the inline search it works perfectly
Try to add _time field in your base search fields. Like this:
<search id="test">
<query>index=tutu sourcetype="ica" $source$ $type$ $domain$ $site$ $ezconf$ | fields _time ica_latency_last_recorded ica_latency_session_avg idle_sec site host</query>
<earliest>-7d@h</earliest>
<latest>now</latest>
</search>
whether I add _time or not I have now something very strange
I i run te dashboard wwith the base search now i have a value for the field "Latence moyenne (ms)" for yesterday and today only
But if i un the search inline I have results for all the last 7 days!!
How is it possible?
It sounds like a bug no? Or data lost?
Which version of splunk are you using?
Splunk Enterprise
Version :7.3.7.1
Build :d3f7cf7c5493
Can you share some of your events from your first search?
I cant cause RGPD but i confirm you that I have events
Presumably you have _time as one of the fields, even after the additional search?
no
her eis the inline search which works fine
index=tutu sourcetype="toto" $source$ $type$ $domain$ $site$ $ezconf$
| fields ica_latency_last_recorded ica_latency_session_avg idle_sec site host
|search idle_sec < 300
| timechart span=1d avg(ica_latency_last_recorded) as "Latence moyenne (ms)"
| eval "Latence moyenne (ms)"=round('Latence moyenne (ms)',0)
| eventstats avg("Latence moyenne (ms)") as Moyenne
| eval Moyenne=round(Moyenne,0)
I can't repeat any problems with 7.3.3 in this regards. The only thing I can think of is that ica_latency_session_avg is non-numeric.