Solved: Why does _time bucket give different results depen...

manus · ‎05-06-2015

The following search returns two values (yesterday (1430780400) and today(1430866800)):
earliest=-d@d index=_internal
| bucket _time span=1d
| stats values(_time)

This search returns only one value (yesterday(1430780400)):
earliest=-d@d index=_internal
| sort _time
| bucket _time span=1d
| stats values(_time)

So sorting by _time affects the results of "bucket _time span=1d".
That looks like an undesired feature to me.

HeinzWaescher · ‎05-06-2015

How many events are searched for? I think the sort command you are using only uses 10k events.

Try this

 | sort 0 _time

View solution in original post

HeinzWaescher · ‎05-06-2015

How many events are searched for? I think the sort command you are using only uses 10k events.

Try this

 | sort 0 _time

manus · ‎05-06-2015

Thanks a lot, spot on. That was the problem. It's the second time I forget sort is constrained by default.

Why does _time bucket give different results depending on how the data is sorted?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...