Archive

Distinct count returns less results than expected

Communicator

Hello
Im running this query:

index="prod"
| rex field=source "(?<crate>.*?)/"
| stats dc(crate)H 

But the number of results is 400 less than expected.
Im wondering if the query is wrong or something is not working with the indexing ?

Thanks

0 Karma

SplunkTrust
SplunkTrust

It's impossible to answer without seeing the data. It could be your regex is incorrect and not properly extracting the crate field. It could be your data is not as varied as you think it is. Perhaps the data needs to be normalized before it is counted.

---
If this reply helps you, an upvote would be appreciated.
0 Karma