Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the same search query used before & after the appendcols command producing different results in those 2 columns?

himynamesdave
Contributor
‎03-27-2015 08:22 AM

OK here are some searches, and resulting values:

#battlefornumber10 cameron | timechart span=10m count AS "Total number of Tweets mentioning Cameron"

time cameron
21:10 10325
01:10 144

#battlefornumber10 miliband | timechart span=10m count AS "Total number of Tweets mentioning Miliband"

time miliband
21:10 1759
01:10 96

#battlefornumber10 cameron | timechart span=10m count AS "Total number of Tweets mentioning Cameron"| appendcols [search #battlefornumber10 miliband | timechart span=10m count AS "Total number of Tweets mentioning Miliband" | fields "Total number of Tweets mentioning Miliband" ]

time cameron miliband
21:10 10325 12
01:10 144 1759

So the "cameron" column returns the same number of results, but the "miliband" column has reduced from 1759 to 12 for 21:10

However, looking at a different time 01:10 it appears the values for Miliband have been pushed to the future (+4 hours)

What is happening here?

0 Karma
Reply

somesoni2
Revered Legend
‎03-27-2015 12:32 PM

A better approach would be like this

#battlefornumber10 cameron OR miliband | eval Type="Total number of Tweets mentioning ".if(match(_raw,"cameron"),"Cameron","Miliband")| timechart span=10m count by Type
Reply

jmheaton
Path Finder
‎03-27-2015 09:00 AM

Run it again without the | fields in your append. The | field means you are not transferring the time field from the timechart, you are just transferring the data field.

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...