Alerting

Returning incorrect count from Splunk stats command

Ganesh1
Engager

Hi Splunk team,
We have been using similar below Splunk query across 15+ Splunk alerts but the count mentioned in email shows 4 times of actual failure occurrence.

index="<your_index>" sourcetype="<your_sourcetype>" source="<your_source.log>" Business_App_ID=<your_appid> Object=* (Failure_Message=*0x01130006* OR Failure_Message=*0x01130009*) | stats count by Object, Failure_Message | sort count

Below Splunk query is returning correct failure events.

index="<your_index>" sourcetype="<your_sourcetype>" source="<your_source.log>" Business_App_ID=<your_appid> Object=* (Failure_Message=*0x01130006* OR Failure_Message=*0x01130009*)

Can you please help in updating the Splunk query(mentioned 1st) to show correct count instead wrong one?

Labels (2)
Tags (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ganesh1 ,

If the events are less than the total count in stats ,check i the fields Object and Failure_Message are present in all the events or only in a subset of them, and eventually not both in the same events.

If the events are freater than the total count in stats, probably you have more values in the same events.

because probably the issue is related to the fact that a stats count BY two fields returns the count of results with both the fields containing a value.

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There is insufficient information to be able to determine what might be amiss. For example, if your events have multi-value fields, this can give unexpected counts. Please share some representative anonymised examples of your events.

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...