Splunk return different event count in verbose vs ...

marcoscala · ‎03-17-2016

Hi!
I'm having a problem with the following simple search in Splunk 6.3.3:

index=myIndex sourcetype=mySourcetype earliest="03/09/2016:08:00:00" latest="03/09/2016:18:00:00" 
| eval time=strftime(_time,"%H:%M") | eval day=strftime(_time,"%d/%m/%Y")  
| stats first(verso) as FirstVerso first(time) as FirstTime by day,badge_id  
| where FirstVerso=1 | stats count as "Users In"

All events have the badge_id and verso fields
If i run it in Verbose Mode, I get 80 results: running the same search in Fast Mode I get 240 results. The problem is with the "where FirstVerso=1" condition: if I omit this check, I get always the same number of results (325) both in Verbose and Fast mode.

Suggestions?!?!

Regards,

marcoscala · ‎03-18-2016

Here's a screenshot of my actual searches in Verbose and Fast mode.

Runals · ‎03-17-2016

For S&Gs try adjusting your initial search to

index=myIndex sourcetype=mySourcetype earliest="03/09/2016:08:00:00" latest="03/09/2016:18:00:00" day=* badge_id=* verso=*

marcoscala · ‎03-18-2016

Hi Runals,
I just try your suggestions, but I still get the same odd behaviour....

somesoni2 · ‎03-17-2016

Are the field verso an custom extracted field OR is it automatically extracted by Splunk?

marcoscala · ‎03-17-2016

Hi!
No, there's a field extraction to extract those fields using a REPORT commando in props.conf.

Splunk return different event count in verbose vs fast mode using "where"

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life