count eval results doesn't match the results under the Events tab

rarbabi — Wed, 22 Feb 2017 00:18:43 GMT

I have a simple search with stats count eval (u_id is a numeric field):

index=myindex base search | stats count(eval(u_id=1234)) as total

The count which I see under "total" (under Statistics tab) does not match the number under Events tab.It seems the eval function is not performing right. But when I do the following search both number matches.

index=myindex base search u_id=1234| stats count as total

what's wrong with the first search?

Re: count eval results doesn't match the results under the Events tab

gvmorley — Wed, 22 Feb 2017 04:07:04 GMT

Hi,

I would guess it's because in your first search, the count in the Events tab is showing all of the events returned by the base search. You're then using a transforming command (stats) to produce your result.

In the second search, you're filtering the events as part of that search (using the u_id=1234). So the count in the Events tab will be reduced.

For example if I do this:

index=_internal | stats count(eval(sourcetype="splunkd")) as total

I'll get:

But if I do this:

index=_internal sourcetype="splunkd" | stats count as total

I get:

Whilst it's not 'strictly' true, you could think of the count in the Events tab as showing you the number of events your actual search returned, before applying any sort of transformation. Such as stats, chart, etc.

Does that make sense?

topic count eval results doesn't match the results under the Events tab in Splunk Search

count eval results doesn't match the results under the Events tab

Re: count eval results doesn't match the results under the Events tab