topic Why my stats command return wrong values ? in Getting Data In

Why my stats command return wrong values ?

mah — Wed, 28 Oct 2020 16:07:52 GMT

Hi,

I have a search very simple but it returns wrong results :

The problem is the result is incoherent because the number of event is :

Total of OK and KO not exceed 100

Can you help me please ?

Re: Why my stats command return wrong values ?

Marco — Wed, 28 Oct 2020 16:29:41 GMT

Try doing this:

eval OK=if(like(State,"OK"),1,0), KO=if(like(State,"KO"),1,0)| stats sum(OK) sum(KO)

Let me know if that work.

-Marco

Re: Why my stats command return wrong values ?

ITWhisperer — Wed, 28 Oct 2020 16:37:56 GMT

Does State exist multiple times in any of the events so that when it is extracted you end up with a multi-value field such that 77% have OK in one of the values in the State field and 56% have KO in one of the values in the State field? Also, where you are counting State==OK and State==KO, perhaps this is counting where these are the only values of State in these events, i.e. the difference represents the number of events that have both values (OK and KO) in the multi-value field State?

Re: Why my stats command return wrong values ?

mah — Wed, 28 Oct 2020 17:19:48 GMT

@Marco

I change eval if by eval case in the search :

it gives :

BUT my beginning query did the job for counting OK and KO BUT not for total. The result is nonsense:

And more amazing, when I want to add fields after the by the count increase :

more fields after the by I add, more the count increase !

@ITWhisperer

State is a unique field in one event and containing 2 values : OK and KO

Re: Why my stats command return wrong values ?

mah — Thu, 29 Oct 2020 13:47:34 GMT

Yes, It is as I said : all values in all fields was twice.

So I added on the search head an app with the sourcetype "B" with le parameter KV_MODE = none :

[B]

KV_MODE = none

and all values appear one time only :

And finally my beginning query works well !

Thank you for your help.