topic Re: Why won't count match when using tstats? in Splunk Search

Why won't count match when using tstats?

mahesh27 — Wed, 26 Apr 2023 01:06:16 GMT

When compared to original query with tstats query success, failed and total count is not matching.

original query:
index=app-cod-idx host_ip=11.123.345.23 sourcetype=code:logs
|rex field =_raw "\|presentdata\:(?<COD_data>.*\|"
|where isnotnull(COD_data)
|eval Success=if(COD_data="0" OR COD_data="", "Success", null())
|eval Failed=if(COD_data!="0", "Failed", null())
|stats count(Success) as Successlogs count(Failed ) as Failedlogs count(COD_data) as totalcount

OUTPUT:

Successlogs	Failedlogs	totalcount
14	10	24

tstats query:

|tstats count where index=app-cod-idx host_ip=11.123.345.23 sourcetype=code:logs by PREFIX(cod-data=)
|rename cod-data= as COD_data
|where isnotnull(COD_data)
|eval Success=if(COD_data="0" OR COD_data="", "Success", null())
|eval Failed=if(COD_data!="0", "Failed", null())
|stats count(Success) as Successlogs count(Failed ) as Failedlogs count(COD_data) as totalcount

OUTPUT:

Successlogs	Failedlogs	totalcount
1	0	1

Re: Why won't count match when using tstats?

VatsalJagani — Wed, 26 Apr 2023 06:02:46 GMT

@mahesh27 - I think that could be due to your extraction is different in both search:

|rex field =_raw "\|presentdata\:(?<COD_data>.*\|"
PREFIX(cod-data=)

One starts with presentdata: and second starts with cod-data=

But cannot tell more without looking at actual events.

I hope this helps!!!

Re: Why won't count match when using tstats?

burwell — Wed, 26 Apr 2023 06:21:16 GMT

Hi. When you run tstats count by prefix(cod-data=) you end up getting counts for each value of cod-data.

0	<count of 0s>
1	<count of 1s>
n	<count of ns>

And then

|eval Success=if(COD_data="0" OR COD_data="", "Success", null())
|stats count(Success) as Successlogs

That will identify the fields where COD_data = 0 as Success
Finally the count with Count the number of rows of Success.. which = 1

So something like

|tstats count where index=app-cod-idx host_ip=11.123.345.23 sourcetype=code:logs by PREFIX(cod-data=)
|rename cod-data= as COD_data
|where isnotnull(COD_data)

| stats sum(eval(if(COD_data="0",count,0))) AS SuccessLogs, sum(eval(if(COD_data!="0",count,0))) AS FailedLogs, sum(count) as totalcount

The key is that you want to sum the count

Re: Why won't count match when using tstats?

PickleRick — Wed, 26 Apr 2023 06:23:08 GMT

Apart from @VatsalJagani already pointed out, each of your searches works differently. The "raw" search extracts fields from events, then does stats count. The tstats search counts splitting by different values of the cod-data field. So even if your extractions matched in both of your searches, if cod-data field had always the same value, your "raw" search would extract and count all occurrences of that field but tstats would only give you one value at the beginning. And then you'd count that value (not sum!) so you'd end up with just 1 as the result.