topic Re: Splunk counting issues/skills in Splunk Search

Splunk counting issues/skills

asimagu — Fri, 12 Jul 2013 04:14:18 GMT

Hey guys

I am a bit puzzled by the counting skills of Splunk.

I have a dashboard with 3 panels that will show a count by clientip in some access_logs, so when I fire the same search on the 3 panels with a time window of one month, I get different values in each ones of the counts of each panel. They only differ in small numbers, but I still find it very odd that Splunk is not getting to the same results every time....

I'm using the geoip command on those searches...I am guessing that might something to do?

Re: Splunk counting issues/skills

Ayn — Fri, 12 Jul 2013 07:22:05 GMT

Are you running these searches on an interval that includes the current time? Because in that case if you run 3 searches and you have data constantly flowing in, obviously the second search will get some new data that the first search didn't get...and same thing with the third search.

Re: Splunk counting issues/skills

asimagu — Sun, 14 Jul 2013 20:44:34 GMT

I'm afraid not, it does not include current time. I am running those searches through the month of June

Re: Splunk counting issues/skills

Ayn — Sun, 14 Jul 2013 21:03:17 GMT

OK. What's the difference between the 3 searches, since you're using 3 panels rather than just 1 I assume something's different at least?

Re: Splunk counting issues/skills

asimagu — Sun, 14 Jul 2013 21:10:30 GMT

The idea of that dashboard was to make comparisons between different timeframes and different values of certain fields. I spotted some discrepancies between the same searches in two dashboards so I decided to run the same exact search in those 3 panels at the same time.... and surprise! I got 3 different results for the count of events: 1794, 1797, 1789 ..... so strange!

Re: Splunk counting issues/skills

Ayn — Sun, 14 Jul 2013 21:13:53 GMT

OK. Hard to say without having more details. If these searches are truly identical and operate on a fixed timeframe for which no events are added, I'm at a loss. I'm pretty sure there's something going on with either of those assumptions though. You might want to have a look at the job inspector for each of the searches to see if/why they behave differently.

Re: Splunk counting issues/skills

asimagu — Mon, 28 Sep 2020 14:20:18 GMT

parent search:
eventtype="pyme_page" status=200 | geoip clientip | search clientip_country_name="$country$" | fields clientip _time date_hour date_wday

postprocess 1:
stats count(clientip) | rangemap field=count(clientip) low=0-29 elevated=30-99 high=100-500 severe=501-10000 default=low

and that is replicated 3 exact times in my dashboard, in each of the panels. I was lost and that's why I came here to ask, I'm really suspecting it has something to do with the geoip command...

Re: Splunk counting issues/skills

asimagu — Tue, 10 Dec 2013 03:05:27 GMT

I finally spotted the problem. It was the version of Firefox that I was using.... everything worked alright on Chrome