Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

milliseconds in _time

dinisco
Explorer
‎03-28-2011 11:21 PM

Splunk is picking up a csv file that looks like this:

SP A,03/27/11 13:10:00,10,4,5,6
SP A,03/27/11 13:20:00,4,4,2,0
SP A,03/27/11 13:30:00,1,1,5,4
...
SP B,03/27/11 13:10:00,15,2,3,6
SP B,03/27/11 13:20:00,1,8,5,0
SP B,03/27/11 13:30:00,2,2,3,4

My assumption was that I would be able to do this:

| stats sum(column3) as total_column3 by _time |timechart avg(total_column3)

and end up with 25,5,3. But splunk is adding milliseconds to _time resulting in unique times/events:

3/27/11 1:10:00.400 PM  SP A,03/27/11 13:10:00,10,4,5,6
...
3/27/11 1:10:00.247 PM  SP B,03/27/11 13:10:00,15,2,3,6

I could use the date stamp column from the csv:

| stats sum(column3) as total_column3 by column2 |chart avg(total_column3) by column2

but I want to be able to use timechart and adjust span so I don't always have to use 10 minute intervals.

Should I be importing the data differently or is there a way around this?

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-29-2011 12:04 AM

I don't know if it's mis-parsing the data and getting milliseconds, but that's a separate issue. You can fix that by providing explicit TIME_FORMAT and TIME_PREFIX to match your data.

As for reporting, however, you should simply be able to do:

| timechart span=1s sum(column3)

or use whatever time span you like.

Also, I'm not sure why you'd need stats first. If this is a simplification, and you do need stats, you can force a span onto the with:

... | bucket span=10m _time | stats sum(column3) as total_colum3 by _time | ...

So whether or not the data has milliseconds, you should be able to adjust for it.

0 Karma
Reply

dinisco
Explorer
‎03-29-2011 10:12 PM

Thanks again, as always. The bucket span option did the trick.

The reason I'm using stats to sum is because I want to sum column3 for SPA and SPB then take an average over time. If I used sum in timechart it would add column3 and the data would be misrepresented whenever timechart span exceeded 10 mins.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...