Activity Feed
- Got Karma for Re: Problem with a query not returning proper data with nested search. 06-05-2020 12:46 AM
- Posted Re: How to enable "Verbose mode" as default in advanced XML or change search query to return proper values? on Splunk Search. 10-30-2014 08:34 AM
- Posted How to enable "Verbose mode" as default in advanced XML or change search query to return proper values? on Splunk Search. 10-29-2014 09:18 AM
- Tagged How to enable "Verbose mode" as default in advanced XML or change search query to return proper values? on Splunk Search. 10-29-2014 09:18 AM
- Tagged How to enable "Verbose mode" as default in advanced XML or change search query to return proper values? on Splunk Search. 10-29-2014 09:18 AM
- Tagged How to enable "Verbose mode" as default in advanced XML or change search query to return proper values? on Splunk Search. 10-29-2014 09:18 AM
- Tagged How to enable "Verbose mode" as default in advanced XML or change search query to return proper values? on Splunk Search. 10-29-2014 09:18 AM
- Posted Re: Problem with a query not returning proper data with nested search on Splunk Search. 05-19-2014 08:26 AM
- Posted Problem with a query not returning proper data with nested search on Splunk Search. 05-16-2014 12:29 PM
- Tagged Problem with a query not returning proper data with nested search on Splunk Search. 05-16-2014 12:29 PM
- Tagged Problem with a query not returning proper data with nested search on Splunk Search. 05-16-2014 12:29 PM
Topics I've Started
10-30-2014
08:34 AM
Thanks Martin but if you look at my query I was already listing or trying the latest and it did not fix the problem.
It sure looks like in this grouping that the last, first and latest functions are not working correctly. Here is how I fixed my problem and made the selection work correctly within the groups.
index=caabistats
| bucket span=1w _time
| eval val1=replace( strptime(src_date, "%Y-%m-%d") + "," + tostring(total_found_devices), "Null", "0" )
| stats min(val1) as val1 by _time
| rex field=val1 "\d+,(?\d+)
| stats values(dev_count) as dev_count by _time
| delta dev_count as dev_diff
| timechart span="1w" values(dev_diff) as "Total Devices"
Rowan
... View more
10-29-2014
09:18 AM
First off I am running Splunk version 6.1
My input data is I have a total device count that is updated daily. I am trying to show a week by week growth so I only need to get one of the values each week and then take the difference between the weeks and show it as a column report. Easy so far.
here is what a single days input looks like, I have one of these per day:
src_host=op2-prd1-db02.cisco.com,src_date="2014-10-2910:04:01.753828+00",total_found_devices="386775"
When I run the following query: index=caabistats | bucket span=1w _time | stats values(total_found_devices), first(total_found_devices), last(total_found_devices), latest(total_found_devices) by _time
I can see the 7 daily values and using the first, last and latest functions it shows the values from the bucket. When looking at the Statistics tab everything looks good on the first page of results, but starting on the second page the first, last and latest start choosing random items in the bucket but not every bucket has the problem but the majority of them do. The first and latest values are always the same.
_time values(total_found_devices), first(total_found_devices), last(total_found_devices), latest(total_found_devices)
2014-01-09 00:00:00 (131962, 132797, 133449, 133568, 133816, 134410, 135207), 131962, 135207, 131962 <== flipped and wrong
2014-01-16 00:00:00 (135899, 136467, 137101, 137213, 137452, 138252, 138693), 135899, 136467, 135899 <== wrong
2014-01-23 00:00:00 (139462, 140161, 140725, 140785, 141134, 141835, 142498), 139462, 141835, 139462 <== wrong
2014-01-30 00:00:00 (143186, 144187, 144664, 144736, 145134, 145756, 146632), 146632, 143186, 146632 <== correct
2014-02-06 00:00:00 (147261, 147985, 148254, 148378, 148570, 149165, 149898), 149165, 149898, 149165 <== wrong
2014-02-13 00:00:00 (150861, 151604, 152031, 152056, 152096, 152912, 153667), 151604, 152031, 151604 <== wrong
2014-02-20 00:00:00 (154337, 154947, 155274, 155382, 155897, 156945, 157778), 155897, 156945, 155897 <== wrong
2014-02-27 00:00:00 (158404, 159490, 160044, 160173, 160551, 161360, 161935), 161935, 158404, 161935 <== correct
2014-03-06 00:00:00 (162515, 163503, 164114, 164253, 164483, 165410, 166101), 166101, 162515, 166101 <== correct
2014-03-13 00:00:00 (166989, 167793, 168539, 168844, 169163, 170180, 171480), 166989, 171480, 166989 <== flipped and wrong
Now this only happens when I am in the fast or smart modes. If I change the mode to verbose then the values are always correct. Looking around I cannot see a way to make the verbose method the default in my advanced XML. Seems like the first, last functions are not correct unless I am in verbose mode.
I have also tied to change the query around like this with the exact same results
index=caabistats |timechart span="1w" last(total_found_devices) as dev_count
| delta dev_count as dev_diff
| timechart span="1w" values(dev_diff) as "Total Devices"
Any help or tips would be appreciated
Rowan
... View more
05-19-2014
08:26 AM
1 Karma
I missed the '~', it should have been a '-' and that fixed the problem, guess I have been looking at it too long. There are only 325 rows being returned before the sort. One row for each day that looks like this: src_host=op2-prd1-db02, src_date="2014-05-19 10:04:01.271495+00", customer_count="11660", caa_customer_count="3038", cna_customer_count="9706", findit_customer_count="1", total_found_devices="217483", caa_found_devices="62984", cna_found_devices="123858", findit_found_devices="30547"
That query gives me the current days, previous day and 7 days ago numbers.
Thanks
... View more
05-16-2014
12:29 PM
I have a query that has two nested searches, it has been working correctly for at least a few years when I was using Splunk 5.x but I have recently updated to Splunk 6.1 and the nested queries are not working properly. The first one (1 day ago) will work on some days but not always, the second sub query (7 days ago) always returns the wrong results.
I can take each of the searches and run them in the search, primary always works, the two sub searches will not work in smart move but if I change it to verbose mode it will work correctly. I first added a SearchMode and could see that my post query had the proper adhoc_search_level value set but it still world not work.
Here is my query:
index=caabistats | sort ~_time | head 1
| eval caa_cna_customer_count=(caa_customer_count+cna_customer_count)-customer_count
| table customer_count, caa_customer_count, cna_customer_count, caa_cna_customer_count, total_found_devices, caa_found_devices, cna_found_devices, findit_found_devices
| rename customer_count as "Total Customer Count",
caa_customer_count as "CAA Customer Count",
cna_customer_count as "CNA Customer Count",
caa_cna_customer_count as "CAA and CNA Customer Count",
total_found_devices as "Total Found Devices",
caa_found_devices as "CAA Found Devices",
cna_found_devices as "CNA Found Devices",
findit_found_devices as "FindIt Found Devices"
| transpose
| rename column as "Basic Information", "row 1" as Current
| join[search index=caabistats **| sort ~_time | head 2 | tail 1**
| eval caa_cna_customer_count=(caa_customer_count+cna_customer_count)-customer_count
| table customer_count, caa_customer_count, cna_customer_count, caa_cna_customer_count, total_found_devices, caa_found_devices, cna_found_devices, findit_found_devices
| rename customer_count as "Total Customer Count",
caa_customer_count as "CAA Customer Count",
cna_customer_count as "CNA Customer Count",
caa_cna_customer_count as "CAA and CNA Customer Count",
total_found_devices as "Total Found Devices",
caa_found_devices as "CAA Found Devices",
cna_found_devices as "CNA Found Devices",
findit_found_devices as "FindIt Found Devices"
| transpose
| rename column as "Basic Information", "row 1" as "1 day ago"]
| join[search index=caabistats **| sort ~_time | head 7 | tail 1**
| eval caa_cna_customer_count=(caa_customer_count+cna_customer_count)-customer_count
| table customer_count, caa_customer_count, cna_customer_count, caa_cna_customer_count, total_found_devices, caa_found_devices, cna_found_devices, findit_found_devices
| rename customer_count as "Total Customer Count",
caa_customer_count as "CAA Customer Count",
cna_customer_count as "CNA Customer Count",
caa_cna_customer_count as "CAA and CNA Customer Count",
total_found_devices as "Total Found Devices",
caa_found_devices as "CAA Found Devices",
cna_found_devices as "CNA Found Devices",
findit_found_devices as "FindIt Found Devices"
| transpose
| rename column as "Basic Information", "row 1" as "7 days ago"]
I did figure out a workaround and it is listed here:
index=caabistats | sort ~_time | head 1
| eval caa_cna_customer_count=(caa_customer_count+cna_customer_count)-customer_count
| table customer_count, caa_customer_count, cna_customer_count, caa_cna_customer_count, total_found_devices, caa_found_devices, cna_found_devices, findit_found_devices
| rename customer_count as "Total Customer Count",
caa_customer_count as "CAA Customer Count",
cna_customer_count as "CNA Customer Count",
caa_cna_customer_count as "CAA and CNA Customer Count",
total_found_devices as "Total Found Devices",
caa_found_devices as "CAA Found Devices",
cna_found_devices as "CNA Found Devices",
findit_found_devices as "FindIt Found Devices"
| transpose
| rename column as "Basic Information", "row 1" as Current
| join[search index=caabistats **earliest=-1d@d latest=-1d@d+1d**
| eval caa_cna_customer_count=(caa_customer_count+cna_customer_count)-customer_count
| table customer_count, caa_customer_count, cna_customer_count, caa_cna_customer_count, total_found_devices, caa_found_devices, cna_found_devices, findit_found_devices
| rename customer_count as "Total Customer Count",
caa_customer_count as "CAA Customer Count",
cna_customer_count as "CNA Customer Count",
caa_cna_customer_count as "CAA and CNA Customer Count",
total_found_devices as "Total Found Devices",
caa_found_devices as "CAA Found Devices",
cna_found_devices as "CNA Found Devices",
findit_found_devices as "FindIt Found Devices"
| transpose
| rename column as "Basic Information", "row 1" as "1 day ago"]
| join[search index=caabistats **earliest=-7d@d latest=-7d@d+1d**
| eval caa_cna_customer_count=(caa_customer_count+cna_customer_count)-customer_count
| table customer_count, caa_customer_count, cna_customer_count, caa_cna_customer_count, total_found_devices, caa_found_devices, cna_found_devices, findit_found_devices
| rename customer_count as "Total Customer Count",
caa_customer_count as "CAA Customer Count",
cna_customer_count as "CNA Customer Count",
caa_cna_customer_count as "CAA and CNA Customer Count",
total_found_devices as "Total Found Devices",
caa_found_devices as "CAA Found Devices",
cna_found_devices as "CNA Found Devices",
findit_found_devices as "FindIt Found Devices"
| transpose
| rename column as "Basic Information", "row 1" as "7 days ago"]
Looks like there might be some problem or bug in Splunk 6.1 when using sort ~ time | head x | tail 1
... View more
