Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the append command in my search showing incorrect results?

HeinzWaescher
Motivator
‎07-08-2015 08:48 AM

Hi,

My search looks like this:

base search...
| timechart span=1d  dc(user_id) AS daily_customers
| timechart span=1mon avg(daily_customers) AS avg_daily_customers
| eval avg_daily_customers=round(avg_daily_customers,0)

| append  [base search...
| timechart span=1mon  dc(user_id) AS daily_customers]

The base search is about 14.000.000 events in both cases. The append command shows up incorrect results and I think this is caused by the maxtime and/or timeout . I tried to increase these parameters, but afterwards, nothing is appended.

| append  [base search... maxtime=1800 timeout=1800
| timechart span=1mon  dc(user_id) AS daily_customers]

What am I doing wrong with the append command?

BR

Heinz

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-08-2015 05:57 PM

Replace this

... | append [base search... maxtime=1800 timeout=1800 ...]

with this

... | append maxtime=1800 timeout=1800 [...]

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/append

Additionally, I'd question any case that executes the same base search twice only to apply different stats.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-08-2015 05:57 PM

Replace this

... | append [base search... maxtime=1800 timeout=1800 ...]

with this

... | append maxtime=1800 timeout=1800 [...]

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/append

Additionally, I'd question any case that executes the same base search twice only to apply different stats.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 12:52 AM

I'm not sure if there are limits on these limits, but if you need a six-hour append you're in serious need of some refactoring.

How 'bout something along these lines?

  base search | bin span=1d _time | stats count by _time user_id
| eventstats dc(user_id) as daily_customers by _time
| timechart span=1mon avg(daily_customers) AS avg_daily_customers dc(user_id) AS daily_customers
| eval avg_daily_customers=round(avg_daily_customers,0)
0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎07-13-2015 01:24 AM

I think in practice I would need an append of 15min, I was just interested in the possibilities of these options.
Generally I try to avoid eventstats for large searches, because the search performance was very low, when I used it in the past. But I will give it a try again

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎07-13-2015 12:28 AM

This works fine, thanks!
Are there limits for these options or can it set them to 6 hours as well?
I used the same base search twice because I wanted to combine a new metric out of both results. This is the only way I was able to do this.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-08-2015 10:11 AM

Is it anything more than that you should be using AS monthly_customers instead?

The reason that you get nothing in your last example is because those are settings that go inside limits.conf or on the outiside, not inside your search; when they are inside your search, they are treated as fields and values and since your events do not have a field called maxtime (let alone one with a value of 1800), your search returns 0 events (which is correct).

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...