topic Re: What is the difference between rare vs stats values(field) count? in Splunk Search

What is the difference between rare vs stats values(field) count?

danielwysockiar — Wed, 11 Jul 2018 13:16:01 GMT

Hi,
I'm trying to find least common agent useing two commands:

1) sourcetype=access_combined| rare  useragent
2) sourcetype=access_combined| stats values(useragent)  count by useragent | sort count

And I get different results, because second one finds more results.

Can someone please clarify the difference in the way those commands work?

Re: What is the difference between rare vs stats values(field) count?

kmorris_splunk — Wed, 11 Jul 2018 13:50:23 GMT

Could it be because you ran it after the rare search, and by then the results were different due to additional data coming in? I would make a dashboard with both searches, each in their own panel, that way they run at the same time. Or, rerun the first search to see if that searches results have changed as well.

Re: What is the difference between rare vs stats values(field) count?

danielwysockiar — Wed, 11 Jul 2018 13:55:05 GMT

Edit : Done one dashboard with shared time-picker and the results are the same 🙂
Must have been my mistake.
Thanks.

That was my idea at first, so I've set a time-picker to show results from the same hour and run commands.
Still the same difference.
Must be something in the way those commands work, but can not find any detailed info on the mechanism.

Re: What is the difference between rare vs stats values(field) count?

renjith_nair — Wed, 11 Jul 2018 13:59:42 GMT

Hi,

As mentioned in the documentation, rare displays the least common values of a field and by default displays "rare" 10 values. If the "by clause" is specified, this command returns rare tuples of values for each distinct tuple of values of the group-by fields.

http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Rare

Whereas values returns the list of all distinct values of the field X as a multivalue entry.

http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Multivaluefunctions#values.28X.29

In short rare is opposite of top

Re: What is the difference between rare vs stats values(field) count?

danielwysockiar — Wed, 11 Jul 2018 14:05:36 GMT

Yeah thats is why I tried to compare least common values of a field with distinct values of the field in descending order. The results seem to be the same now.

Re: What is the difference between rare vs stats values(field) count?

woodcock — Wed, 11 Jul 2018 15:40:55 GMT

Rare defaults to the 10 rarest so the percentages will be all wrong; these should be the same

sourcetype=access_combined| rare 9999 useragent
sourcetype=access_combined| stats count BY useragent | sort 9999 count

And these:

sourcetype=access_combined| rare useragent
sourcetype=access_combined| stats count BY useragent | sort 10 count