why i am finding count difference in timechart fun...

umsundar2015 · ‎10-12-2017

Hi,

When i run a search for 7 days , i am getting correct count for all 7 days .But when i run for 30 days then i am finding difference in count .I am left joining 2 indexes and finally i am using timechart command.
Please can anyone help me out

thanks,

gcusello · ‎10-13-2017

Hi umsundar2015,
you used a join using IP as key, but in your subsearch you haven't IP field as output, so your join never matches.
Try to insert in your subsearch IP AS value or key stats.

Bye.
Giuseppe

cmerriman · ‎10-12-2017

i believe it is the way that timechart buckets the days. I believe buckets start from the earliest date in your time frame.

If you search |timechart span=7d count for Last 30 days (2017-09-12 through 2017-10-12), the _time comes back with 2017-09-12, 2017-09-19, 2017-09-26, 2017-10-03 and 2017-10-10
however if you run the same search for Last 7 days (2017-10-05 through 2017-10-12), you'll get _time of 2017-10-05 and 2017-10-12

umsundar2015 · ‎10-13-2017

i am giving span=1d , Can you please help me out

cmerriman · ‎10-13-2017

@cusello points out that IP is not in your subsearch, yet you have it set as the field to join to. Try

| join type=left IP 
    [ search index=rranges 
    | stats count by IP sas _time]

also, your whole query isn't by _time, so the total sum wouldn't match because you're summing by sas, not by day (_time span=1d). essentially, the bin command is not doing anything in the grand scheme.

if you wanted it by day and sas, bin _time first, then apply the stats command.

|bin span=1d _time
|stats count by sas _time

DalJeanis · ‎10-12-2017

Please post the search, with any confidential information removed, so we can help you more accurately.

umsundar2015 · ‎10-13-2017

Hi daljeanis,

This is my search,

why i am finding count difference in timechart function

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!