topic Re: Does anyone have an explanation for the differences in count with and without eval expression in Splunk Search https://community.splunk.com/t5/Splunk-Search/Does-anyone-have-an-explanation-for-the-differences-in-count/m-p/454673#M128644 <P>hahah most welcome <span class="lia-unicode-emoji" title=":winking_face:">😉</span> </P> Tue, 14 May 2019 08:18:05 GMT DavidHourani 2019-05-14T08:18:05Z Does anyone have an explanation for the differences in count with and without eval expression https://community.splunk.com/t5/Splunk-Search/Does-anyone-have-an-explanation-for-the-differences-in-count/m-p/454670#M128641 <P>Hello,</P> <P>on searching for discrepancies in my dashboard I was able to cut down the problem to the following to searches. Maybe there is an explanation for it. The difference is in the count of TLSv1.2.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="search with eval"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7044iA3ADFFC14D9302C8/image-size/large?v=v2&amp;px=999" role="button" title="search with eval" alt="search with eval" /></span></P> <P><span class="lia-inline-image-display-wrapper" image-alt="search without eval"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7045iF537729D5266A1C6/image-size/large?v=v2&amp;px=999" role="button" title="search without eval" alt="search without eval" /></span></P> Tue, 14 May 2019 06:53:21 GMT https://community.splunk.com/t5/Splunk-Search/Does-anyone-have-an-explanation-for-the-differences-in-count/m-p/454670#M128641 gesa_behrens 2019-05-14T06:53:21Z Re: Does anyone have an explanation for the differences in count with and without eval expression https://community.splunk.com/t5/Splunk-Search/Does-anyone-have-an-explanation-for-the-differences-in-count/m-p/454671#M128642 <P>Hi @gesa_behrens,</P> <P>This is happening because a single transaction contains sometimes more than one <CODE>ssl_protocol</CODE> field values which means that if the condition matches on "-" everything gets replaced by the "HTTP" string. </P> <P>You might want to run your eval before building the transaction then you'll be good on the count.</P> <P>Cheers,<BR /> David</P> Tue, 14 May 2019 07:08:32 GMT https://community.splunk.com/t5/Splunk-Search/Does-anyone-have-an-explanation-for-the-differences-in-count/m-p/454671#M128642 DavidHourani 2019-05-14T07:08:32Z Re: Does anyone have an explanation for the differences in count with and without eval expression https://community.splunk.com/t5/Splunk-Search/Does-anyone-have-an-explanation-for-the-differences-in-count/m-p/454672#M128643 <P>wow, that was quick, and now that you mention it, this is absolutely clear to me, should have seen it my self.<BR /> Thanks so much!</P> Tue, 14 May 2019 07:14:47 GMT https://community.splunk.com/t5/Splunk-Search/Does-anyone-have-an-explanation-for-the-differences-in-count/m-p/454672#M128643 gesa_behrens 2019-05-14T07:14:47Z Re: Does anyone have an explanation for the differences in count with and without eval expression https://community.splunk.com/t5/Splunk-Search/Does-anyone-have-an-explanation-for-the-differences-in-count/m-p/454673#M128644 <P>hahah most welcome <span class="lia-unicode-emoji" title=":winking_face:">😉</span> </P> Tue, 14 May 2019 08:18:05 GMT https://community.splunk.com/t5/Splunk-Search/Does-anyone-have-an-explanation-for-the-differences-in-count/m-p/454673#M128644 DavidHourani 2019-05-14T08:18:05Z