Splunk return different event count in verbose vs ...

marcoscala · ‎03-17-2016

Hi!
I'm having a problem with the following simple search in Splunk 6.3.3:

index=myIndex sourcetype=mySourcetype earliest="03/09/2016:08:00:00" latest="03/09/2016:18:00:00" 
| eval time=strftime(_time,"%H:%M") | eval day=strftime(_time,"%d/%m/%Y")  
| stats first(verso) as FirstVerso first(time) as FirstTime by day,badge_id  
| where FirstVerso=1 | stats count as "Users In"

All events have the badge_id and verso fields
If i run it in Verbose Mode, I get 80 results: running the same search in Fast Mode I get 240 results. The problem is with the "where FirstVerso=1" condition: if I omit this check, I get always the same number of results (325) both in Verbose and Fast mode.

Suggestions?!?!

Regards,

marcoscala · ‎03-18-2016

Here's a screenshot of my actual searches in Verbose and Fast mode.

Runals · ‎03-17-2016

For S&Gs try adjusting your initial search to

index=myIndex sourcetype=mySourcetype earliest="03/09/2016:08:00:00" latest="03/09/2016:18:00:00" day=* badge_id=* verso=*

marcoscala · ‎03-18-2016

Hi Runals,
I just try your suggestions, but I still get the same odd behaviour....

somesoni2 · ‎03-17-2016

Are the field verso an custom extracted field OR is it automatically extracted by Splunk?

marcoscala · ‎03-17-2016

Hi!
No, there's a field extraction to extract those fields using a REPORT commando in props.conf.

Splunk return different event count in verbose vs fast mode using "where"

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...