All Apps and Add-ons
Highlighted

Splunk Stats count discrepancy

Influencer

Hello

How would searching in VERBOSE mode and a strict timerange for index=foo host=bar | stats count return a much larger value than the number of events I see

Even if I search for index=foo host=bar in the same time frame I have much less events than what the count reports. What is wrong? How can Splunk count the events with a specific host but then not returning them?

Any ideas?

Thanks

P.S.:please note the attachments evidence

0 Karma
Highlighted

Re: Splunk Stats count discrepancy

Path Finder

@tiagofbmm, Wow strange. Can you post a snapshot if possible and Splunk version please?

Thanks,
Sandeep

0 Karma
Highlighted

Re: Splunk Stats count discrepancy

Influencer

I can't put screenshots but the version is 7.0. The searches I've done are exactly as I told you though

0 Karma
Highlighted

Re: Splunk Stats count discrepancy

Influencer

Version is 7.0.4. The problematic sources are from Splunk App DBConnect version 3.1.3

0 Karma
Highlighted

Re: Splunk Stats count discrepancy

SplunkTrust
SplunkTrust

By strict timerange, are you referring to non-relative time?

So when you run stats, its returning a value of 1 and when you strip off stats its returning zero events?

0 Karma
Highlighted

Re: Splunk Stats count discrepancy

Influencer

Yes, not a relative time. Stats count is returning a count of for instance 290, but no events at all show up

0 Karma
Highlighted

Re: Splunk Stats count discrepancy

Influencer

Yes it is just like that. Stats shows there are events in that index from that host but stripping the stats off, I see no events. Weirdest thing

0 Karma
Highlighted

Re: Splunk Stats count discrepancy

SplunkTrust
SplunkTrust

Does this happens for this one sourcetype only? How big are your raw data for this sourcetype?

0 Karma
Highlighted

Re: Splunk Stats count discrepancy

Influencer

It's happening to dbinput sources from dbconnect. Raw data is not very big, these are audit logs. Size is not uncommon

0 Karma
Highlighted

Re: Splunk Stats count discrepancy

SplunkTrust
SplunkTrust

Strange Indeed. Do you get results in statistics tab with something like this?

index=foo host=bar | table _time _raw

Also, did you try running it in different browser?

0 Karma