Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the append command in my search showing incorrect results?

HeinzWaescher
Motivator
‎07-08-2015 08:48 AM

Hi,

My search looks like this:

base search...
| timechart span=1d  dc(user_id) AS daily_customers
| timechart span=1mon avg(daily_customers) AS avg_daily_customers
| eval avg_daily_customers=round(avg_daily_customers,0)

| append  [base search...
| timechart span=1mon  dc(user_id) AS daily_customers]

The base search is about 14.000.000 events in both cases. The append command shows up incorrect results and I think this is caused by the maxtime and/or timeout . I tried to increase these parameters, but afterwards, nothing is appended.

| append  [base search... maxtime=1800 timeout=1800
| timechart span=1mon  dc(user_id) AS daily_customers]

What am I doing wrong with the append command?

BR

Heinz

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-08-2015 05:57 PM

Replace this

... | append [base search... maxtime=1800 timeout=1800 ...]

with this

... | append maxtime=1800 timeout=1800 [...]

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/append

Additionally, I'd question any case that executes the same base search twice only to apply different stats.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-08-2015 05:57 PM

Replace this

... | append [base search... maxtime=1800 timeout=1800 ...]

with this

... | append maxtime=1800 timeout=1800 [...]

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/append

Additionally, I'd question any case that executes the same base search twice only to apply different stats.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-13-2015 12:52 AM

I'm not sure if there are limits on these limits, but if you need a six-hour append you're in serious need of some refactoring.

How 'bout something along these lines?

  base search | bin span=1d _time | stats count by _time user_id
| eventstats dc(user_id) as daily_customers by _time
| timechart span=1mon avg(daily_customers) AS avg_daily_customers dc(user_id) AS daily_customers
| eval avg_daily_customers=round(avg_daily_customers,0)
0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎07-13-2015 01:24 AM

I think in practice I would need an append of 15min, I was just interested in the possibilities of these options.
Generally I try to avoid eventstats for large searches, because the search performance was very low, when I used it in the past. But I will give it a try again

0 Karma
Reply
Solved! Jump to solution

HeinzWaescher
Motivator
‎07-13-2015 12:28 AM

This works fine, thanks!
Are there limits for these options or can it set them to 6 hours as well?
I used the same base search twice because I wanted to combine a new metric out of both results. This is the only way I was able to do this.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-08-2015 10:11 AM

Is it anything more than that you should be using AS monthly_customers instead?

The reason that you get nothing in your last example is because those are settings that go inside limits.conf or on the outiside, not inside your search; when they are inside your search, they are treated as fields and values and since your events do not have a field called maxtime (let alone one with a value of 1800), your search returns 0 events (which is correct).

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...