topic Re: My search doesn't count correctly in Splunk Search

How would I fix my search not counting correctly?

fpedrosa — Fri, 28 Oct 2022 18:17:17 GMT

Hello y'all!

I'm trying to use the Single Value object, and build a search which count the number of the records and shows up.. but, for some reason it's not bring the right number..

Here is my search:

index=redhatinsights | spath | spath path=events{} output=events | stats by _time, events, application, event_type, account_id, context.display_name | mvexpand events | eval _raw=events | kv | table _time | where relative_time(now(), "-30d") <= _time | timechart span=30d count(_time) as count | appendpipe [| stats count | where count=0 | addinfo | eval time=info_min_time." ".info_max_time | makemv time | mvexpand time | table time count | rename time as _time ]

for some reason is not bring all the records, and this time range doesn't make any affect to the result:

What's is the right way to use this object and bring the total count of the records in the last 30 days?

Thanks!

Re: My search doesn't count correctly

johnhuang — Thu, 27 Oct 2022 21:51:17 GMT

Make sure you correctly account for the values that were deduped by stats and the expansion of events into multiple records.

This is a more efficient way to replicate your search.

index=redhatinsights earliest=-30d@d | spath | spath path=events{} output=events | eval event_ct=MVCOUNT(event) | timechart span=30d sum(event_ct) AS event_ct

Re: My search doesn't count correctly

fpedrosa — Fri, 28 Oct 2022 17:49:10 GMT

Hi @johnhuang thanks for your reply. Unfortunately not worked here.. using your code like this:

earliest=-30d@d | spath | spath path=events{} output=events | eval event_ct=MVCOUNT(event) | timechart span=30d sum(event_ct) AS event_ct

Brings 0 (zero) even with records there.. I tried to change like this:

earliest=-30d | spath | spath path=events{} output=events | stats by _time, events | mvexpand events | eval _raw=events | kv | table _time | timechart span=30d aligntime=latest count(_time) as event_cnt

show some numbers, but not the right ones..

Re: My search doesn't count correctly

johnhuang — Fri, 28 Oct 2022 17:52:11 GMT

Sorry there was a typo. Change event to events.

| eval event_ct=MVCOUNT(events)

Re: My search doesn't count correctly

fpedrosa — Fri, 28 Oct 2022 18:31:38 GMT

Thanks again @johnhuang appears it's going somewhere.. 🙂

Running your search I'm getting this on "Search":

I'm wondering if we need to have only "one" result with the all number... or I misunderstood something here?

Re: My search doesn't count correctly

johnhuang — Fri, 28 Oct 2022 18:31:46 GMT

It doesn't seem like your events are multivalued? In which case this should give you the same results:

index=redhatinsights earliest=-2mon@mon | timechart span=1mon count AS event_ct

Re: My search doesn't count correctly

fpedrosa — Fri, 28 Oct 2022 18:45:03 GMT

In my case some record may have multivalues events, or only one event... using your last search, I'm getting several returns, not just one return with the count, and the numbers are pretty different too..

Re: My search doesn't count correctly

fpedrosa — Tue, 01 Nov 2022 16:36:34 GMT

@johnhuang mvcount if there isn't any record, this search returns "no result" for the Single Value, so, it's showing like this:

Do you know, if is possible to bring just 0 when there's no record?