Splunk Search

Why does _time bucket give different results depending on how the data is sorted?

Communicator

The following search returns two values (yesterday (1430780400) and today(1430866800)):
earliest=-d@d index=internal
| bucket _time span=1d
| stats values(
time)

This search returns only one value (yesterday(1430780400)):
earliest=-d@d index=internal
| sort _time
| bucket _time span=1d
| stats values(
time)

So sorting by _time affects the results of "bucket _time span=1d".
That looks like an undesired feature to me.

Tags (3)
0 Karma
1 Solution

Motivator

How many events are searched for? I think the sort command you are using only uses 10k events.

Try this

 | sort 0 _time

View solution in original post

Motivator

How many events are searched for? I think the sort command you are using only uses 10k events.

Try this

 | sort 0 _time

View solution in original post

Communicator

Thanks a lot, spot on. That was the problem. It's the second time I forget sort is constrained by default.

0 Karma