Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

timechart function not working as expected

riyastk
Observer
‎07-11-2024 11:01 PM

I have this query which is working well in Splunk8 whereas I am getting timechart with wrong values in Splunk9. Is there any chage in timchart or case function that may cause this query not to work perfectly?

 

index=my_index sourcetype=jetty_access_log host="apiserver--*" url="/serveapi*" | eval status_summary=case(status<200, "Invalid",status<300, "2xx", status<400, "3xx",status <500, "4xx",status<600, "5xx",True(),"Invalid") |  timechart span=5m count(eval(status_summary="2xx")) as count_http2xx, count(eval(status_summary="3xx")) as count_http3xx, count(eval(status_summary="4xx")) as count_http4xx, count(eval(status_summary="5xx")) as count_http5xx, count(eval(status_summary="Invalid")) as count_httpunk

This screenshot below shows the correct result (Splunk 😎

Screenshot 2024-07-12 at 11.28.31 AM.png

 

This screenshot shows the incorrect result ( Splunk 9)

Screenshot 2024-07-12 at 11.27.52 AM.png

 

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-12-2024 10:53 AM

You're running it on different sets of data, right? So how are we supposed to know what and why is the correct result?

Anyway, you're overthinking it. Replace the elaborate evals in your timechart with

| timechart span=5m  count by status_summary

Oh, and please post searches in either code block or preformatted style. Makes them much more readable.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2024 06:25 AM

What happens if you try this

|  timechart span=5m count by status_summary usenull=f useother=f
0 Karma
Reply

riyastk
Observer
‎07-12-2024 05:51 AM

Hi @gcusello  thanks for the reply. I checked the events for the "Invalid" matches (the default value in the case block) and I can see there is no "status" field being extracted for those events. So it's evident why those are marked as "Invalid". So the issue must be with the sourcetype, I guess. 

Sorry if I didn't mention that the data sets are not the same. I just want to show that the later screenshot has matches for count_httpunk and the first one doesn't have.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-12-2024 06:09 AM

Hi @riyastk ,

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2024 11:30 PM

Ciao @riyastk ,

I am not aware that there have been any changes in the functioning of the timechart function; are you really sure that the data in the first case are the same as in the second?
what happens if you launch the search before the timechart and count the occurrences by sight?

In particular, check the values ​​that are indicated in your search as "Invalid".
Then, since you use the eval command, why don't you use the results of this command instead of the "<2xx" condition?
otherwise this command is useless.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...