Re: Why do my post-process timecharts display bad ...

jip31 · ‎10-22-2021

Hi

I need to use a post process search for displaying a timechart

Here is my id configuration

  <search id="test">
    <query>index=tutu sourcetype="ica" $source$ $type$ $domain$ $site$ $ezconf$ | fields ica_latency_last_recorded ica_latency_session_avg idle_sec site host</query>
    <earliest>-7d@h</earliest>
    <latest>now</latest>
  </search>

and here is base configuration

 <search base="test">
          <query>
| search idle_sec &lt; 300 
| timechart span=1d avg(ica_latency_session_avg) as "Latence moyenne de la session (ms)"</query>
</search>

as you can see my timechart is on the last 7 days

but any values are retuned

what is wrong please?

somesoni2 · ‎10-22-2021

What problems do you see with your results (unclear in the question)?

jip31 · ‎10-22-2021

hi

I have any results with a post search

if i execute the inline search it works perfectly

somesoni2 · ‎10-22-2021

Try to add _time field in your base search fields. Like this:

<search id="test">
    <query>index=tutu sourcetype="ica" $source$ $type$ $domain$ $site$ $ezconf$ | fields _time ica_latency_last_recorded ica_latency_session_avg idle_sec site host</query>
    <earliest>-7d@h</earliest>
    <latest>now</latest>
  </search>

jip31 · ‎10-22-2021

whether I add _time or not I have now something very strange

I i run te dashboard wwith the base search now i have a value for the field "Latence moyenne (ms)" for yesterday and today only

But if i un the search inline I have results for all the last 7 days!!

How is it possible?

It sounds like a bug no? Or data lost?

ITWhisperer · ‎10-22-2021

Which version of splunk are you using?

jip31 · ‎10-22-2021

Splunk Enterprise
Version :7.3.7.1

Build :d3f7cf7c5493

ITWhisperer · ‎10-22-2021

Can you share some of your events from your first search?

jip31 · ‎10-22-2021

I cant cause RGPD but i confirm you that I have events

ITWhisperer · ‎10-22-2021

Presumably you have _time as one of the fields, even after the additional search?

jip31 · ‎10-22-2021

no

her eis the inline search which works fine

index=tutu sourcetype="toto" $source$ $type$ $domain$ $site$ $ezconf$ 
| fields ica_latency_last_recorded ica_latency_session_avg idle_sec site host
|search idle_sec < 300 
| timechart span=1d avg(ica_latency_last_recorded) as "Latence moyenne (ms)" 
| eval "Latence moyenne (ms)"=round('Latence moyenne (ms)',0) 
| eventstats avg("Latence moyenne (ms)") as Moyenne 
| eval Moyenne=round(Moyenne,0)

ITWhisperer · ‎10-22-2021

I can't repeat any problems with 7.3.3 in this regards. The only thing I can think of is that ica_latency_session_avg is non-numeric.

Why do my post-process timecharts display bad results

other

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...