https://community.splunk.com/t5/Dashboards-Visualizations/Seeing-difference-in-count-between-stats-and-timechart-command/m-p/622221#M51063 <P>I understand this .But I am using data warehouse view as source for the sourcetype using db connect .</P><P>It will have a static value for a particular day .But I am not sure why I am seeing difference between stats and timechart .</P><P>When I select yesterday in timechart it shows exact match with stats count .But when I select more than one day it shows difference .</P><P>It's strange but this is what iam getting .</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 28 Nov 2022 03:39:32 GMT dtccsundar 2022-11-28T03:39:32Z https://community.splunk.com/t5/Dashboards-Visualizations/Seeing-difference-in-count-between-stats-and-timechart-command/m-p/622077#M51057 <P>Hi ,</P><P>I am facing difference in count between stats and timechart for same search and same filters</P><P>Stats cmd : Last 24 hours</P><P>search|bin span=1d _time |stats count by Status|eventstats sum(*) as sum_* |foreach * [eval "Comp %"=round((count/sum_count)*100,2)]|rename count as Count|fields - sum_count</P><TABLE width="128"><TBODY><TR><TD width="64">comp&nbsp;</TD><TD width="64">7126</TD></TR><TR><TD>error</TD><TD>37</TD></TR><TR><TD>Noncomp</TD><TD>146</TD></TR><TR><TD>NonRep</TD><TD>54</TD></TR><TR><TD>Total</TD><TD>7363</TD></TR></TBODY></TABLE><P><BR />Timechart :&nbsp; Last 30 days&nbsp;</P><P>search|bin span=1d _time |timechart count by Status| addtotals| eval "Comp %"=round((Comp/Total)*100,2) | eval "Error %"=round((Error/Total)*100,2) | eval "Noncomp %"=round((Noncomp/Total)*100,2) | eval "NonRep %"=round((NonRep/Total)*100,2) | fields _time,*%</P><TABLE width="128"><TBODY><TR><TD width="64">comp&nbsp;</TD><TD width="64">7126</TD></TR><TR><TD>error</TD><TD>36</TD></TR><TR><TD>Noncomp</TD><TD>146</TD></TR><TR><TD>NonRep</TD><TD>53</TD></TR><TR><TD>Total</TD><TD>7361</TD></TR></TBODY></TABLE><P><BR />There is difference in count by 2 between these 2 functions.I am using a macro before the time chart or stats .Please help me with solution or cause of this issue.&nbsp;</P><P>&nbsp;</P> Mon, 28 Nov 2022 05:36:46 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Seeing-difference-in-count-between-stats-and-timechart-command/m-p/622077#M51057 dtccsundar 2022-11-28T05:36:46Z https://community.splunk.com/t5/Dashboards-Visualizations/Seeing-difference-in-count-between-stats-and-timechart-command/m-p/622215#M51060 <P>Your searches and your data examples don't seem to correlate.</P><P>Firstly you are not splitting by _time in your stats, so the stats command will give you a single set of stats by Status for the last 24 hours. Your bin _time is redundant. If you want to use bin with stats, you need to also use _time in the by clause, e.g.</P><LI-CODE lang="markup">|stats count by _time Status</LI-CODE><P>Depending on when you are running the search and if the latest part of the search is anchored to a fixed time, it will vary every time you run it.</P><P>Your timechart search is producing percentage values, not counts.</P><P>Can you clarify exactly what your earliest and latest search criteria are for these two searches</P> Sun, 27 Nov 2022 22:41:31 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Seeing-difference-in-count-between-stats-and-timechart-command/m-p/622215#M51060 bowesmana 2022-11-27T22:41:31Z https://community.splunk.com/t5/Dashboards-Visualizations/Seeing-difference-in-count-between-stats-and-timechart-command/m-p/622216#M51061 <P>I am not using earliest and latest in search .</P><P>But my requirement is for last 24 hours for stats and last 30 days for timechart .For time chart it will be selected in filter .</P> Mon, 28 Nov 2022 00:32:30 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Seeing-difference-in-count-between-stats-and-timechart-command/m-p/622216#M51061 dtccsundar 2022-11-28T00:32:30Z https://community.splunk.com/t5/Dashboards-Visualizations/Seeing-difference-in-count-between-stats-and-timechart-command/m-p/622220#M51062 <P>Every search has an earliest and latest time range - it's a fundamental requirement for any search. It's either set by a time picker of specified in the search directly.</P><P>Last 24 hours in Splunk will typically mean -24h@h to "now", so it will be somewhere between 24 and 25 hours whereas your timechart will be working on day boundaries, because you have defined the time group to be a span of 1 day, so will be from midnight to midnight.</P><P>You need to make sure you are comparing comparable time ranges. "Last 24 hours" will never be the same time range as a 30 day time range</P><P data-unlink="true">If you want "last 24 hours" to mean "yesterday", then your time range needs to be -d@d&nbsp; for the earliest time and&nbsp;@d for the latest time range in the time picker</P> Mon, 28 Nov 2022 02:58:17 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Seeing-difference-in-count-between-stats-and-timechart-command/m-p/622220#M51062 bowesmana 2022-11-28T02:58:17Z https://community.splunk.com/t5/Dashboards-Visualizations/Seeing-difference-in-count-between-stats-and-timechart-command/m-p/622221#M51063 <P>I understand this .But I am using data warehouse view as source for the sourcetype using db connect .</P><P>It will have a static value for a particular day .But I am not sure why I am seeing difference between stats and timechart .</P><P>When I select yesterday in timechart it shows exact match with stats count .But when I select more than one day it shows difference .</P><P>It's strange but this is what iam getting .</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 28 Nov 2022 03:39:32 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Seeing-difference-in-count-between-stats-and-timechart-command/m-p/622221#M51063 dtccsundar 2022-11-28T03:39:32Z