Splunk Search

Why is the same search query used before & after the appendcols command producing different results in those 2 columns?

himynamesdave
Contributor

OK here are some searches, and resulting values:

#battlefornumber10 cameron | timechart span=10m count AS "Total number of Tweets mentioning Cameron"

time cameron
21:10 10325
01:10 144

#battlefornumber10 miliband | timechart span=10m count AS "Total number of Tweets mentioning Miliband"

time miliband
21:10 1759
01:10 96

#battlefornumber10 cameron | timechart span=10m count AS "Total number of Tweets mentioning Cameron"| appendcols [search #battlefornumber10 miliband | timechart span=10m count AS "Total number of Tweets mentioning Miliband" | fields "Total number of Tweets mentioning Miliband" ]

time cameron miliband
21:10 10325 12
01:10 144 1759

So the "cameron" column returns the same number of results, but the "miliband" column has reduced from 1759 to 12 for 21:10

However, looking at a different time 01:10 it appears the values for Miliband have been pushed to the future (+4 hours)

What is happening here?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

A better approach would be like this

#battlefornumber10 cameron OR miliband | eval Type="Total number of Tweets mentioning ".if(match(_raw,"cameron"),"Cameron","Miliband")| timechart span=10m count by Type

jmheaton
Path Finder

Run it again without the | fields in your append. The | field means you are not transferring the time field from the timechart, you are just transferring the data field.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...