Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

what makes tstats on _internal go wrong?

MonkeyK
Builder
‎10-22-2021 02:20 PM

My teammate and I have been trying to summarize our environment to automatically build a data dictionary.  Our last feature was to add a lastSeen time to use as a rudimentary data integrity check.  
Recently this has stopped working on the _internal index.  As in tstats max time on _internal is a week ago, even though a straight SPL search on index=_internal returns results for today or any other arbitrary slice of time I query over the last week.  This suggests to me that the tsidx is messed up for _internal.  

But to make matters more confusing, yesterday I was able to submit the same query and get a correct max(_time) for index=_internal.  

Does anyone have an idea of what is going on with this behavior? Better yet, what I need to do to fix it?

If it matters, this is a clustered search head environment and we also have quite a few indexers

 

usual results

 

 

 

| tstats count max(_time) as lastSeen where index=_* earliest=-20d@d latest=@m by index
| convert ctime(lastSeen)

 

 

 

index count lastSeen

_audit99999999910/22/2021 15:39:59
_internal999999910/14/2021 20:09:35
_introspection99999999910/22/2021 15:39:59
_telemetry99910/22/2021 12:05:05
Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎10-25-2021 01:26 PM

It's a known issue but not currently listed on  the known issues page (I have an active support case open on it).

I did ask why it's not on the known issues page, I'll ask support again for it to be listed...

Basically for tstats on the internal index you can add include_reduced_buckets=t, and that should make your results accurate.

However I found this made the search dramatically slower so it was better to not use tstats, they haven't provided a version with a bugfix yet...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎10-23-2021 10:49 PM

Which splunk version? I've hit an issue that appears to be a known issue with tstats and the internal index in 8.2.2...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

MonkeyK
Builder
‎10-25-2021 07:08 AM

I'm on 8.2.2 as well.
If the problem is really just _internal, I'm not super concerned.  But it really makes me uncomfortable that there might be errors with other indexes.

0 Karma
Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎10-25-2021 01:26 PM

It's a known issue but not currently listed on  the known issues page (I have an active support case open on it).

I did ask why it's not on the known issues page, I'll ask support again for it to be listed...

Basically for tstats on the internal index you can add include_reduced_buckets=t, and that should make your results accurate.

However I found this made the search dramatically slower so it was better to not use tstats, they haven't provided a version with a bugfix yet...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...