I have a rather odd issue occurring, if I include an additional field in my by clause (which I do need) the values I get end up being doubled. If I don't have the additional field then I get the correct values.
For the given query;
sourcetype=metrics source=event-publisher type="m" | spath | search name="publisher.send" | streamstats window=2 current=t global=f earliest(val.count) as begin, latest(val.count) as end by name | eval delta=if (end-begin < 0,end,end-begin) | bin span=1h _time | chart sum(delta) by _time,name
The delta and everything works fine, the issue is chart sum(delta) by _time,name
namely the ,name
portion. if I exclude that and just have chart sum(delta) by _time
I get the correct values. However if I add ,name
it doubles the values.
The same thing happens when using timechart
. filtering on the name
is for troubleshooting purposes.
For example, if for a one hour period the delta is (from start of hour to end) is a total of 14, if I don't include name
in the by
for chart
then I get a result of 14 (as expected), however if I do include name
in the by
clause I get 28.
I'm not sure if something odd is happening between using the by name
and the streamstats
?
The behaviour could be indicative of a multi-value name
field. To check, run this
sourcetype=metrics source=event-publisher type="m" | spath | eval mv_count = mvcount(name)
and check the values of mv_count
in the field list on the left.
Yeah it reports 2. As far as I can tell the piping through spath is causing the duplicates. If I specify a specific value to extract with spath it's fine, but just the general | spath |
causes the multiple values. I can actually just do
sourcetype=metrics source=event-publisher type="m" | chart sum(val.count) by _time span=1h
and get values without issue. I guess Splunk is auto extracting the json already and didn't need spath
pipe at all.
You may already have either INDEXED_EXTRACTIONS
or KV_MODE
set to JSON, so yeah - your spath
would add a second copy of the fields.