Archive
Highlighted

Distinct count returns less results than expected

Path Finder

Hello
Im running this query:

index="prod"
| rex field=source "(?<crate>.*?)/"
| stats dc(crate)H 

But the number of results is 400 less than expected.
Im wondering if the query is wrong or something is not working with the indexing ?

Thanks

0 Karma
Highlighted

Re: Distinct count returns less results than expected

SplunkTrust
SplunkTrust

It's impossible to answer without seeing the data. It could be your regex is incorrect and not properly extracting the crate field. It could be your data is not as varied as you think it is. Perhaps the data needs to be normalized before it is counted.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.