https://community.splunk.com/t5/Splunk-Search/Inconsistent-Count-result/m-p/488810#M194022 <P>Part of the issue with this search is you're using <CODE>dedup</CODE> in your original search ( <CODE>sourcetype=xxx | dedup user | timechart span=1d count(user)</CODE> )</P> <P>A better search is this:</P> <PRE><CODE>index=ndx sourcetype=srctp user=* | timechart span=1d dc(user) </CODE></PRE> <P>This will give you a distinct count of the <CODE>user</CODE> field per day using the much simpler (and faster) <CODE>dc()</CODE> ( <CODE>distinct_count()</CODE> ) stats function - <A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Aggregatefunctions#distinct_count.28X.29_or_dc.28X.29">https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Aggregatefunctions#distinct_count.28X.29_or_dc.28X.29</A></P> Fri, 22 Nov 2019 14:28:04 GMT wmyersas 2019-11-22T14:28:04Z https://community.splunk.com/t5/Splunk-Search/Inconsistent-Count-result/m-p/488807#M194019 <P>Original Search</P> <P>sourcetype=xxx | dedup user | timechart span=1d count(user)</P> <P>I found that the results are different for selecting the different time ranges</P> <P>Time Range _time count(user)<BR /> All time : 2019-10-20 269<BR /> during Oct 20: 2019-10-20 1473</P> <P>Why I got different results by selecting different time ranges?</P> <P>Thank you</P> Fri, 22 Nov 2019 07:59:41 GMT https://community.splunk.com/t5/Splunk-Search/Inconsistent-Count-result/m-p/488807#M194019 kcchu01 2019-11-22T07:59:41Z https://community.splunk.com/t5/Splunk-Search/Inconsistent-Count-result/m-p/488808#M194020 <P>Hi @kcchu01,<BR /> dedup has a limit of 10,000 results, if you want to exceed this limit you have to insert 0 in dedup command.<BR /> Something like this:</P> <PRE><CODE>sourcetype=xxx | dedup 0 user | timechart span=1d count(user) </CODE></PRE> <P>P.S.: It's better to always use index in main search to have more performant searches.</P> <P>Ciao.<BR /> Giuseppe</P> Fri, 22 Nov 2019 09:25:39 GMT https://community.splunk.com/t5/Splunk-Search/Inconsistent-Count-result/m-p/488808#M194020 gcusello 2019-11-22T09:25:39Z https://community.splunk.com/t5/Splunk-Search/Inconsistent-Count-result/m-p/488809#M194021 <P>It's also better to use <CODE>stats</CODE> vs <CODE>dedup</CODE></P> Fri, 22 Nov 2019 14:25:14 GMT https://community.splunk.com/t5/Splunk-Search/Inconsistent-Count-result/m-p/488809#M194021 wmyersas 2019-11-22T14:25:14Z https://community.splunk.com/t5/Splunk-Search/Inconsistent-Count-result/m-p/488810#M194022 <P>Part of the issue with this search is you're using <CODE>dedup</CODE> in your original search ( <CODE>sourcetype=xxx | dedup user | timechart span=1d count(user)</CODE> )</P> <P>A better search is this:</P> <PRE><CODE>index=ndx sourcetype=srctp user=* | timechart span=1d dc(user) </CODE></PRE> <P>This will give you a distinct count of the <CODE>user</CODE> field per day using the much simpler (and faster) <CODE>dc()</CODE> ( <CODE>distinct_count()</CODE> ) stats function - <A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Aggregatefunctions#distinct_count.28X.29_or_dc.28X.29">https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Aggregatefunctions#distinct_count.28X.29_or_dc.28X.29</A></P> Fri, 22 Nov 2019 14:28:04 GMT https://community.splunk.com/t5/Splunk-Search/Inconsistent-Count-result/m-p/488810#M194022 wmyersas 2019-11-22T14:28:04Z