Hi, I have a list of jobs that I'm trying to chart by the amount of errors each parent job sees. For some reason, the values in the chart are always quadrupled. For example, I can see 5 errors in the data, but the chart shows twenty. In the end, I want to chart the sum of errors of the child jobs aggregate by their parent id. This is more or less the main idea in the query I've tried variations of : chart sum(job.vals.errors) by job.meta.parentkey | sort - _time . I'm very new to Splunk and after a few hours of going through the docs and reading questions I thought I would reach out to the community for answers. Below if the structure of the jobs I'm trying to chart.
{
"name": "the child job",
"vals": {
errors: 1,
passes: 3
},
"meta": {
"parentkey": 012345
}
}
Thanks for taking a moment to look at this!
... View more