Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

stats and timechart count not returning count of events. instead uses last value in the first column

scc00
Communicator
‎06-19-2018 04:13 PM

I am trying to get a simple count of events, instead i am getting the value of the first column as the count. Below is the simple search I am running.

index=main sourcetype=proxylog | eval MBout=round(((bytesout/(1024*1024)))) | timechart count(MBout)

There are only 3 events, so I am expecting the count to give me 3. instead it picks the last number in the first column which is 0.. eg below

time count(MBout)
2018-06-18 19:00:00 804
2018-06-18 19:30:00 837
2018-06-18 20:00:00 833
2018-06-18 20:30:00 839
2018-06-18 21:00:00 798
2018-06-18 21:30:00 848
2018-06-18 22:00:00 850
2018-06-18 22:30:00 819
2018-06-18 23:00:00 850
2018-06-18 23:30:00 819
2018-06-19 00:00:00 642
2018-06-19 00:30:00 345
2018-06-19 01:00:00 280
2018-06-19 01:30:00 270
2018-06-19 02:00:00 116
2018-06-19 02:30:00 4
2018-06-19 03:00:00 0
2018-06-19 03:30:00 0
2018-06-19 04:00:00 0
2018-06-19 04:30:00 0

0 Karma
Reply
Highlighted

Re: stats and timechart count not returning count of events. instead uses last value in the first column

Ayn
Legend
‎06-19-2018 09:44 PM

Please elaborate, what do you mean by that there are 3 events? Which first column are you referring to?

0 Karma
Reply
Highlighted

Re: stats and timechart count not returning count of events. instead uses last value in the first column

gcusello
Legend
‎06-19-2018 10:57 PM

Hi scc00,
at first, if you want to count events, you don't need to use eval command,

index=main sourcetype=proxy_log 
| timechart count

If instead you want the sum of bytes you have to use eval command but in timechart you have to use sum function,

index=main sourcetype=proxy_log 
| eval MB_out=round(bytes_out/1024/1024) 
| timechart sum(MB_out)

Anyway, are you sure that you have events with bytes_out in the period when you have 0?

Bye.
Giuseppe

0 Karma
Reply
Highlighted

Re: stats and timechart count not returning count of events. instead uses last value in the first column

scc00
Communicator
‎06-21-2018 09:54 AM

Yes i have done all of that. I still get the last value in the timechart count) series. This is why i opened this question..this shouldn't happen, it's a simple command.

0 Karma
Reply