https://community.splunk.com/t5/Monitoring-Splunk/Different-Amount-of-Events-per-UF-with-different-searches/m-p/562435#M8481 <P>In your first query you are looking at all events, for all internal and non-internal indexes.</P><P>In your second query you are looking only at _internal, and have it further delimited to only the Metrics component and the per_index_thruput group.</P><P>That is why you are seeing different results. Essentially, you are not comparing apples to apples, so to speak.</P> Fri, 06 Aug 2021 16:16:36 GMT codebuilder 2021-08-06T16:16:36Z https://community.splunk.com/t5/Monitoring-Splunk/Different-Amount-of-Events-per-UF-with-different-searches/m-p/562368#M8471 <P>Hello guys,</P><P>Iam creating a dashboard which show some statistics about the UFs of our environment.</P><P>By finding a good solution for the amount of events delivered per index, I noticed something I cant explain at the moment. Hopefully you can bring light in the dark. <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>For my understanding:</P><P># The amount of indexed events on the indexer by the forwarder itself</P><P>| tstats count as eventcount where index=* OR index=_* host=APP01 earliest=-60m@m latest=now by index, sourcetype | stats sum(eventcount) as eventcount by index</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">index</TD><TD width="50%">eventcount</TD></TR><TR><TD width="50%">_internal</TD><TD width="50%">11608</TD></TR><TR><TD width="50%">win</TD><TD width="50%">1337</TD></TR></TBODY></TABLE><P>&nbsp;</P><P># The amount of events which are forwarded by the forwarder&nbsp;</P><P>index=_internal component=Metrics host=APP01 series=* NOT series IN (main) group=per_index_thruput<BR />| stats sum(ev) AS eventcount by series</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">series</TD><TD width="50%">eventcount</TD></TR><TR><TD width="50%">_internal</TD><TD width="50%">1243</TD></TR><TR><TD width="50%">win</TD><TD width="50%">2876</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>But both of them are delivering different values for the same timerange (60min)</P><P>Has anyone an idea why this is happening?</P><P>Thanks.</P><P>BR, Tom</P> Fri, 06 Aug 2021 06:49:50 GMT https://community.splunk.com/t5/Monitoring-Splunk/Different-Amount-of-Events-per-UF-with-different-searches/m-p/562368#M8471 sscholz 2021-08-06T06:49:50Z https://community.splunk.com/t5/Monitoring-Splunk/Different-Amount-of-Events-per-UF-with-different-searches/m-p/562435#M8481 <P>In your first query you are looking at all events, for all internal and non-internal indexes.</P><P>In your second query you are looking only at _internal, and have it further delimited to only the Metrics component and the per_index_thruput group.</P><P>That is why you are seeing different results. Essentially, you are not comparing apples to apples, so to speak.</P> Fri, 06 Aug 2021 16:16:36 GMT https://community.splunk.com/t5/Monitoring-Splunk/Different-Amount-of-Events-per-UF-with-different-searches/m-p/562435#M8481 codebuilder 2021-08-06T16:16:36Z https://community.splunk.com/t5/Monitoring-Splunk/Different-Amount-of-Events-per-UF-with-different-searches/m-p/563601#M8527 <P>Thank you for clarification.</P><P>It seems that i had apples on my eyes. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P><P>...</P><P>&nbsp;</P><P>Greetings.</P> Tue, 17 Aug 2021 08:18:31 GMT https://community.splunk.com/t5/Monitoring-Splunk/Different-Amount-of-Events-per-UF-with-different-searches/m-p/563601#M8527 sscholz 2021-08-17T08:18:31Z