Re: Why is the same search query used before & aft...

himynamesdave · ‎03-27-2015

OK here are some searches, and resulting values:

#battlefornumber10 cameron | timechart span=10m count AS "Total number of Tweets mentioning Cameron"

time cameron
21:10 10325
01:10 144

#battlefornumber10 miliband | timechart span=10m count AS "Total number of Tweets mentioning Miliband"

time miliband
21:10 1759
01:10 96

#battlefornumber10 cameron | timechart span=10m count AS "Total number of Tweets mentioning Cameron"| appendcols [search #battlefornumber10 miliband | timechart span=10m count AS "Total number of Tweets mentioning Miliband" | fields "Total number of Tweets mentioning Miliband" ]

time cameron miliband
21:10 10325 12
01:10 144 1759

So the "cameron" column returns the same number of results, but the "miliband" column has reduced from 1759 to 12 for 21:10

However, looking at a different time 01:10 it appears the values for Miliband have been pushed to the future (+4 hours)

What is happening here?

somesoni2 · ‎03-27-2015

A better approach would be like this

#battlefornumber10 cameron OR miliband | eval Type="Total number of Tweets mentioning ".if(match(_raw,"cameron"),"Cameron","Miliband")| timechart span=10m count by Type

jmheaton · ‎03-27-2015

Run it again without the | fields in your append. The | field means you are not transferring the time field from the timechart, you are just transferring the data field.

Why is the same search query used before & after the appendcols command producing different results in those 2 columns?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio