Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my timechart search producing some events with no _time values and other field values are displaced in the resulting table?

msalaverry
New Member
‎08-26-2015 09:00 AM

Hi,

I have this search:

host="myhost.com" NOT source=*access_log* AND "SearchA" | timechart span=1d dc(App) as NotAssigned 
| eval NotAssigned=NotAssigned+0 | appendcols [search SearchB 
| timechart span=1d sum(Count) as Assigned ] 
| eval Time=strftime(_time, "%d-%m") |table  Time, Assigned, NotAssigned

This seems to work ok, but sometimes one of those variables is shown with no time for some events, and I don't know why.

This is the case:

alt text

When I made the searches individually, this was displayed correctly. But in some moments, it looks like there are some _time values missing.
Like in the attached image, today is 26-08, but the table is showing until 25-08, and one of the variables was displaced a couple of days.

Do you know how to fix it? ...

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-26-2015 10:17 AM

Try something like this

 host="myhost.com" NOT source=*access_log* AND "SearchA" | timechart span=1d dc(App) as NotAssigned 
 | eval NotAssigned=NotAssigned+0 | append [search SearchB 
 | timechart span=1d sum(Count) as Assigned ] | stats values(*) as * by _time
 | eval Time=strftime(_time, "%d-%m") |table  Time, Assigned, NotAssigned

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-26-2015 10:17 AM

Try something like this

 host="myhost.com" NOT source=*access_log* AND "SearchA" | timechart span=1d dc(App) as NotAssigned 
 | eval NotAssigned=NotAssigned+0 | append [search SearchB 
 | timechart span=1d sum(Count) as Assigned ] | stats values(*) as * by _time
 | eval Time=strftime(_time, "%d-%m") |table  Time, Assigned, NotAssigned
Reply
Solved! Jump to solution

msalaverry
New Member
‎08-27-2015 11:41 AM

Hey somesoni2... You were right, I updated the query and I missed to change appendcols to appen ...

Seems to be ok now... Thanks a lot!

0 Karma
Reply
Solved! Jump to solution

msalaverry
New Member
‎08-27-2015 07:49 AM

Tried, but didn't work 😞 .. Why is this happening?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-27-2015 09:52 AM

It is due to appendcols as there could be different dates available for both the queries. Could you please tell what went wrong with the query I suggested?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...