https://community.splunk.com/t5/Splunk-Search/Why-is-my-tstats-including-other-counts/m-p/200027#M57960 <P>Note that you might be able to post-filter. The events that matched your search end up having two domains mentioned. If it's mentioned in a way that matches your original search criteria (that is, it's not producing a false positive), then all you'd have to do is re-filter. I'd suggest a macro with just "field=value1 or field=value2" that you can place in both the initial part (the tstats call) and the subsequent <CODE>| search</CODE> so that the lists can be easily kept in sync.</P> Mon, 19 Sep 2016 22:33:50 GMT sowings 2016-09-19T22:33:50Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-tstats-including-other-counts/m-p/200024#M57957 <P>Hi,</P> <P>I am querying an accelerated data model for active directory, using the search below. However, the results are showing domains that are not being requested. Can someone explain this to me?</P> <P>Search:</P> <PRE><CODE>|tstats count AS "Count of active directory index events" from datamodel=Active_Directory where (nodename = active_directory_index_events) (active_directory_index_events.Account_Domain="DMN1" OR active_directory_index_events.Account_Domain="DSDOM1" OR active_directory_index_events.Account_Domain="WINROOT" OR active_directory_index_events.Account_Domain="DSROOT" OR active_directory_index_events.Account_Domain="VC1ROOT" OR active_directory_index_events.Account_Domain="VC2ROOT" OR active_directory_index_events.Account_Domain="VC3ROOT" OR active_directory_index_events.Account_Domain="FMRSHIELD") BY active_directory_index_events.Account_Domain </CODE></PRE> <P>Results:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1867iAB8470E26ADB707A/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 19 Sep 2016 01:09:19 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-tstats-including-other-counts/m-p/200024#M57957 a212830 2016-09-19T01:09:19Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-tstats-including-other-counts/m-p/200025#M57958 <P>My suspicion is that the raw events that fed the model have "Account Domain" as a multi-valued field. The summary includes a snapshot of the event with each value of the multi-value field captured in amber. When you search, the WHERE tags the summary event, and the BY then splits out those multi-values each into their own row. I saw this a lot with some (incorrectly ingested) JSON using INDEXED_EXTRACTIONS (which behaves a bit like data model summaries).</P> Mon, 19 Sep 2016 17:21:19 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-tstats-including-other-counts/m-p/200025#M57958 sowings 2016-09-19T17:21:19Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-tstats-including-other-counts/m-p/200026#M57959 <P>Thanks. That does appear to be the case... back to the drawing board....</P> Mon, 19 Sep 2016 19:16:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-tstats-including-other-counts/m-p/200026#M57959 a212830 2016-09-19T19:16:24Z https://community.splunk.com/t5/Splunk-Search/Why-is-my-tstats-including-other-counts/m-p/200027#M57960 <P>Note that you might be able to post-filter. The events that matched your search end up having two domains mentioned. If it's mentioned in a way that matches your original search criteria (that is, it's not producing a false positive), then all you'd have to do is re-filter. I'd suggest a macro with just "field=value1 or field=value2" that you can place in both the initial part (the tstats call) and the subsequent <CODE>| search</CODE> so that the lists can be easily kept in sync.</P> Mon, 19 Sep 2016 22:33:50 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-tstats-including-other-counts/m-p/200027#M57960 sowings 2016-09-19T22:33:50Z