Hi
I'm trying to join data from two sourcetypes and make some simple statistics based on joined data. But when I'm using stats I have some incorrect results. Let me explain in details:
In sourcetype "ATM" I have field DEVICE_ID and in sourcetype "Zabbix" I have fields JNAME and AVAILABLE. Fields DEVICE_ID and JNAME contains the same sort of data from two different applications and fields AVAILABLE contain information for which I need some statistics. In sourcetype "ATM" I have events for more DEVICE_ID's than in sourcetype "Zabbix"
Basically my task is to count for how much DEVICE_ID's I don't have information in "Zabbix" every day.
I used following query to get the result:
sourcetype=ATM | eval date=strftime(_time,"%d-%m-%Y") | dedup DEVICE_ID, date
| join type=left DEVICE_ID, data [search sourcetype=Zabbix | eval date=strftime(_time,"%d-%m-%Y") | dedup JNAME, date | rename JNAME AS DEVICE_ID]
| fillnull value="No data" AVAILABLE
| search AVAILABLE="No data"
| stats count(DEVICE_ID) by date
When I'm executing this search for 7 days, I get correct information for latest 5 and fully incorrect for two first. When I executed this search for last 30 days I got correct result for latest 11 days and incorrect for all other. Like this:
date | count
11-09-2014 | 2994
12-09-2014 | 2989
13-09-2014 | 347
14-09-2014 | 328
15-09-2014 | 341
16-09-2014 | 349
Please help me to make this search working properly. Thank you in advance.
P.S. I'm using Splunk Free if it matter
... View more