https://community.splunk.com/t5/Splunk-Search/Event-count-mismatch-when-using-using-field-name-quot-quot-and/m-p/418064#M120252 <P>Thanks for the answer MuS.<BR /> I have updated the question as per my research and found the problem in this scenario.</P> Tue, 03 Jul 2018 05:24:29 GMT jshah24 2018-07-03T05:24:29Z https://community.splunk.com/t5/Splunk-Search/Event-count-mismatch-when-using-using-field-name-quot-quot-and/m-p/418061#M120249 <P>Why is there a difference between the number of events scanned in both these queries?<BR /> Using below query getting statistics count 25 and number of events (Events label below search query) as 214.</P> <PRE><CODE>| tstats values(XXXX.product_name) as "Product Name" from datamodel=XXXX where (XXXX.threat_name="*") by XXXX.threat_name </CODE></PRE> <P>But, Using </P> <PRE><CODE>| tstats values(XXXX.product_name) as "Product Name" from datamodel=XXXX where (XXXX.threat_name!="") by XXXX.threat_name </CODE></PRE> <P>getting statistics count same 25 and number of events (Events label below search query) as 5,468.</P> Mon, 02 Jul 2018 14:03:17 GMT https://community.splunk.com/t5/Splunk-Search/Event-count-mismatch-when-using-using-field-name-quot-quot-and/m-p/418061#M120249 jshah24 2018-07-02T14:03:17Z https://community.splunk.com/t5/Splunk-Search/Event-count-mismatch-when-using-using-field-name-quot-quot-and/m-p/418062#M120250 <P>A few things to check here:</P> <UL> <LI>you are using <CODE>summareisonly</CODE> in the <CODE>tstats</CODE> search, are the DMA searches running and summaries are available?</LI> <LI>compare apples with apples, use your base search from the data model with your <CODE>get-_index</CODE> search</LI> <LI>talking of base search: does it return the expected results?</LI> <LI>Knowledge objects available to the DMA searches?</LI> <LI>permissions?</LI> </UL> <P>Just a starting point, but good to check ...</P> <P>cheers, MuS</P> Mon, 02 Jul 2018 21:07:08 GMT https://community.splunk.com/t5/Splunk-Search/Event-count-mismatch-when-using-using-field-name-quot-quot-and/m-p/418062#M120250 MuS 2018-07-02T21:07:08Z https://community.splunk.com/t5/Splunk-Search/Event-count-mismatch-when-using-using-field-name-quot-quot-and/m-p/418063#M120251 <P>1) Are you running for a fixed time frame, such as <CODE>earliest=-1d@d latest=@d</CODE>?</P> <P>2) Compare the output. Which threat_name are the events missing from?</P> Mon, 02 Jul 2018 22:05:46 GMT https://community.splunk.com/t5/Splunk-Search/Event-count-mismatch-when-using-using-field-name-quot-quot-and/m-p/418063#M120251 DalJeanis 2018-07-02T22:05:46Z https://community.splunk.com/t5/Splunk-Search/Event-count-mismatch-when-using-using-field-name-quot-quot-and/m-p/418064#M120252 <P>Thanks for the answer MuS.<BR /> I have updated the question as per my research and found the problem in this scenario.</P> Tue, 03 Jul 2018 05:24:29 GMT https://community.splunk.com/t5/Splunk-Search/Event-count-mismatch-when-using-using-field-name-quot-quot-and/m-p/418064#M120252 jshah24 2018-07-03T05:24:29Z https://community.splunk.com/t5/Splunk-Search/Event-count-mismatch-when-using-using-field-name-quot-quot-and/m-p/418065#M120253 <P>Thanks for your response DalJeanis.<BR /> Yes, I am running queries for a fixed time frame.<BR /> I have updated the question as per my research. please see the updated question. </P> Tue, 03 Jul 2018 05:26:51 GMT https://community.splunk.com/t5/Splunk-Search/Event-count-mismatch-when-using-using-field-name-quot-quot-and/m-p/418065#M120253 jshah24 2018-07-03T05:26:51Z