Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

timechart function not working as expected

riyastk
Observer
‎07-11-2024 11:01 PM

I have this query which is working well in Splunk8 whereas I am getting timechart with wrong values in Splunk9. Is there any chage in timchart or case function that may cause this query not to work perfectly?

 

index=my_index sourcetype=jetty_access_log host="apiserver--*" url="/serveapi*" | eval status_summary=case(status<200, "Invalid",status<300, "2xx", status<400, "3xx",status <500, "4xx",status<600, "5xx",True(),"Invalid") |  timechart span=5m count(eval(status_summary="2xx")) as count_http2xx, count(eval(status_summary="3xx")) as count_http3xx, count(eval(status_summary="4xx")) as count_http4xx, count(eval(status_summary="5xx")) as count_http5xx, count(eval(status_summary="Invalid")) as count_httpunk

This screenshot below shows the correct result (Splunk 😎

Screenshot 2024-07-12 at 11.28.31 AM.png

 

This screenshot shows the incorrect result ( Splunk 9)

Screenshot 2024-07-12 at 11.27.52 AM.png

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-12-2024 10:53 AM

You're running it on different sets of data, right? So how are we supposed to know what and why is the correct result?

Anyway, you're overthinking it. Replace the elaborate evals in your timechart with

| timechart span=5m  count by status_summary

Oh, and please post searches in either code block or preformatted style. Makes them much more readable.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2024 06:25 AM

What happens if you try this

|  timechart span=5m count by status_summary usenull=f useother=f
0 Karma
Reply

riyastk
Observer
‎07-12-2024 05:51 AM

Hi @gcusello  thanks for the reply. I checked the events for the "Invalid" matches (the default value in the case block) and I can see there is no "status" field being extracted for those events. So it's evident why those are marked as "Invalid". So the issue must be with the sourcetype, I guess. 

Sorry if I didn't mention that the data sets are not the same. I just want to show that the later screenshot has matches for count_httpunk and the first one doesn't have.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-12-2024 06:09 AM

Hi @riyastk ,

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2024 11:30 PM

Ciao @riyastk ,

I am not aware that there have been any changes in the functioning of the timechart function; are you really sure that the data in the first case are the same as in the second?
what happens if you launch the search before the timechart and count the occurrences by sight?

In particular, check the values ​​that are indicated in your search as "Invalid".
Then, since you use the eval command, why don't you use the results of this command instead of the "<2xx" condition?
otherwise this command is useless.

Ciao.

Giuseppe

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
Top