https://community.splunk.com/t5/Splunk-Search/Base-Query-return-440-events-but-stats-result-is-0/m-p/492064#M194276 <P>@rkyadav ,</P> <P>I removed 'by SFDC', and it returned 1 row with result is 0 as well.</P> <P>I tried to escape the '=' in the query by '\m', and it returned result to me. </P> <PRE><CODE>stats count(eval(searchmatch("GET /jsup?m\=calibrationOrgDataV12*"))) as number by SFDC </CODE></PRE> <P>Why?</P> Tue, 12 May 2020 02:41:07 GMT cheriemilk 2020-05-12T02:41:07Z https://community.splunk.com/t5/Splunk-Search/Base-Query-return-440-events-but-stats-result-is-0/m-p/492061#M194273 <P>Hi team, <BR /> I have below query. The base query has 440 events returned, But when I use stats command, tje number is 0. Does the because the special charaters in the string to be matched? How should I correct the string?</P> <P>(servername=pc* OR host=pc*) AND <BR /> sourcetype=access_log_bizx AND <BR /> "GET /jsup?m=calibrationOrgDataV12*" <BR /> <STRONG>| stats count(eval(searchmatch("GET /jsup?m=calibrationOrgDataV12*"))) as number by SFDC</STRONG></P> Wed, 30 Sep 2020 05:19:30 GMT https://community.splunk.com/t5/Splunk-Search/Base-Query-return-440-events-but-stats-result-is-0/m-p/492061#M194273 cheriemilk 2020-09-30T05:19:30Z https://community.splunk.com/t5/Splunk-Search/Base-Query-return-440-events-but-stats-result-is-0/m-p/492062#M194274 <P>@cheriemilk ,<BR /> by-clause will make this resolve. </P> <P>check out field by SFDC , this makes results vary as you have added "by SFDC" . Thats the reason event count does not match stats count. </P> <P>Try removing the "by SFDC " from your search query , it fetch the results.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Stats">https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Stats</A></P> <P>by-clause<BR /> Syntax: BY <BR /> Description: The name of one or more fields to group by. You cannot use a wildcard character to specify multiple fields with similar names. You must specify each field separately. The BY clause returns one row for each distinct value in the BY clause fields. If no BY clause is specified, the stats command returns only one row, which is the aggregation over the entire incoming result set.</P> <P>hope this is useful.</P> Thu, 07 May 2020 09:36:33 GMT https://community.splunk.com/t5/Splunk-Search/Base-Query-return-440-events-but-stats-result-is-0/m-p/492062#M194274 rkyadav 2020-05-07T09:36:33Z https://community.splunk.com/t5/Splunk-Search/Base-Query-return-440-events-but-stats-result-is-0/m-p/492063#M194275 <PRE><CODE> | stats count(eval(searchmatch("*calibrationOrgDataV12*"))) as number by SFDC </CODE></PRE> <P>Searchmatch had you searching for <BR /> "GET /jsup?m=calibrationOrgDataV12*" and "/jsup?m" is not a field name in your data.</P> Thu, 07 May 2020 10:03:18 GMT https://community.splunk.com/t5/Splunk-Search/Base-Query-return-440-events-but-stats-result-is-0/m-p/492063#M194275 jkat54 2020-05-07T10:03:18Z https://community.splunk.com/t5/Splunk-Search/Base-Query-return-440-events-but-stats-result-is-0/m-p/492064#M194276 <P>@rkyadav ,</P> <P>I removed 'by SFDC', and it returned 1 row with result is 0 as well.</P> <P>I tried to escape the '=' in the query by '\m', and it returned result to me. </P> <PRE><CODE>stats count(eval(searchmatch("GET /jsup?m\=calibrationOrgDataV12*"))) as number by SFDC </CODE></PRE> <P>Why?</P> Tue, 12 May 2020 02:41:07 GMT https://community.splunk.com/t5/Splunk-Search/Base-Query-return-440-events-but-stats-result-is-0/m-p/492064#M194276 cheriemilk 2020-05-12T02:41:07Z https://community.splunk.com/t5/Splunk-Search/Base-Query-return-440-events-but-stats-result-is-0/m-p/492065#M194277 <P>@jkat54 <BR /> probably not as it works for me with other query before</P> Tue, 12 May 2020 02:42:23 GMT https://community.splunk.com/t5/Splunk-Search/Base-Query-return-440-events-but-stats-result-is-0/m-p/492065#M194277 cheriemilk 2020-05-12T02:42:23Z https://community.splunk.com/t5/Splunk-Search/Base-Query-return-440-events-but-stats-result-is-0/m-p/492066#M194278 <P><CODE>searchmatch</CODE> use REGEX.</P> <P>strings <CODE>GET /jsup?m\=calibrationOrgDataV12*</CODE> is match <CODE>GET /jsum=calibrationOrgDataV1</CODE><BR /> not <CODE>?</CODE></P> Tue, 12 May 2020 03:09:16 GMT https://community.splunk.com/t5/Splunk-Search/Base-Query-return-440-events-but-stats-result-is-0/m-p/492066#M194278 to4kawa 2020-05-12T03:09:16Z