Splunk Search

Why do my post-process timecharts display bad results

jip31
Builder

Hi

I need to use a post process search for displaying a timechart

Here is my id configuration

 

  <search id="test">
    <query>index=tutu sourcetype="ica" $source$ $type$ $domain$ $site$ $ezconf$ | fields ica_latency_last_recorded ica_latency_session_avg idle_sec site host</query>
    <earliest>-7d@h</earliest>
    <latest>now</latest>
  </search>

 

and here is base configuration

 

 <search base="test">
          <query>
| search idle_sec &lt; 300 
| timechart span=1d avg(ica_latency_session_avg) as "Latence moyenne de la session (ms)"</query>
</search>

 

as you can see my timechart is on the last 7 days

but any values are retuned

what is wrong please?

Labels (1)
Tags (1)
0 Karma

somesoni2
Revered Legend

What problems do you see with your results (unclear in the question)?

Tags (1)
0 Karma

jip31
Builder

hi

I have any results with a post search 

if i execute the inline search it works perfectly

0 Karma

somesoni2
Revered Legend

Try to add _time field in your base search fields. Like this:

<search id="test">
    <query>index=tutu sourcetype="ica" $source$ $type$ $domain$ $site$ $ezconf$ | fields _time ica_latency_last_recorded ica_latency_session_avg idle_sec site host</query>
    <earliest>-7d@h</earliest>
    <latest>now</latest>
  </search>
0 Karma

jip31
Builder

whether I add _time or not I have now something very strange

I i run te dashboard wwith the base search now i have a value for the field "Latence moyenne (ms)" for yesterday and today only

But if i un the search inline I have results for all the last 7 days!!

How is it possible?

It sounds like a bug no? Or data lost?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Which version of splunk are you using?

0 Karma

jip31
Builder
Splunk Enterprise
Version :7.3.7.1

Build :d3f7cf7c5493
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you share some of your events from your first search?

0 Karma

jip31
Builder

I cant cause RGPD but i confirm you that I have events

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Presumably you have _time as one of the fields, even after the additional search?

0 Karma

jip31
Builder

no

her eis the inline search which works fine

index=tutu sourcetype="toto" $source$ $type$ $domain$ $site$ $ezconf$ 
| fields ica_latency_last_recorded ica_latency_session_avg idle_sec site host
|search idle_sec < 300 
| timechart span=1d avg(ica_latency_last_recorded) as "Latence moyenne (ms)" 
| eval "Latence moyenne (ms)"=round('Latence moyenne (ms)',0) 
| eventstats avg("Latence moyenne (ms)") as Moyenne 
| eval Moyenne=round(Moyenne,0)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I can't repeat any problems with 7.3.3 in this regards. The only thing I can think of is that ica_latency_session_avg is non-numeric.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!