Splunk Search

Why am I getting unexpected results with my timechart search?

qinglinms
Explorer

I have the following data in my index

_time                          PUID             TotalMinutes    TotalDisconnectedMinutes
2016-04-17T00:04:21.000+0000    1003BFFD885D8FB1    853             36
2016-04-18T01:03:23.000+0000    1003BFFD885D8FB1    339             0
2016-04-19T02:04:26.000+0000    1003BFFD885D8FB1    298             0
2016-04-19T04:41:25.000+0000    1003BFFD885D8FB1    14              0
2016-04-20T00:17:48.000+0000    1003BFFD885D8FB1    188             0
2016-04-21T04:09:02.000+0000    1003BFFD885D8FB1    1013            6
2016-04-22T02:37:20.000+0000    1003BFFD885D8FB1    257             2

However, when use the timechart command, the result is not what I expect it to be.

The search I ran:

index=tenanthealthmonitor (host=mapi_outlookAvailabilityPerPuid OR host=rpc_outlookAvailabilitPerPuid) tenant_guid=482198bb-ae7b-4b25-8b7a-6d7f32faa083  PUID=100300008479DB02 | timechart  span=1d sum(TotalMinutes) as Total_Minutes, sum(TotalDisconnectedMinutes) as TotalDisconnected_Minutes usenull=f

The result is:

_time                          Total_Minutes    TotalDisconnected_Minutes
2016-04-17T00:00:00.000+0000              989                          34
2016-04-18T00:00:00.000+0000             1855                          25
2016-04-19T00:00:00.000+0000             2232                          72
2016-04-20T00:00:00.000+0000             1908                          94
2016-04-21T00:00:00.000+0000             2014                          72
2016-04-22T00:00:00.000+0000              643                          17

How does timechart work?

1 Solution

knielsen
Contributor

You're querying a different dataset than you list here (PUID=1003BFFD885D8FB1 vs PUID=100300008479DB02) , so the timechart output could actually be correct.

View solution in original post

patrick_muller
Explorer

Try with stats command

  • | stats sum(TotalMinutes) as Total_Minutes, sum(TotalDisconnectedMinutes) as TotalDisconnected_Minutes by date_mday

this will work better

you can put the day and month in the same field, like
eval current_date= date_month +"/"+ date_mday

the_wolverine
Champion

In addition to what others have stated, specifying span=1d translates to a timerange of "midnight to midnight". I see the timechart is correct based on this.

0 Karma

knielsen
Contributor

You're querying a different dataset than you list here (PUID=1003BFFD885D8FB1 vs PUID=100300008479DB02) , so the timechart output could actually be correct.

woodcock
Esteemed Legend

You told it to use spans of 1d so it first calls bucket _time span=1d which rounds all _time values for date:hour to 00:00 , then it does the stats stuff. How else would you expect it to work?

If you do not think the sums are correct, what is probably happening is that what is considered today (in o ther words, what UTC/GMT offset value do you consider midnight?) is user-specific and determined by YOUR Timezone value in YOUR user settings on that Search Head. So if you have a different value than another user, you will probably get different results.

0 Karma

qinglinms
Explorer

Thank you knielsen and woodcock. My bad.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...