Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Data mismatch in a table

Ram2
Explorer
a week ago 
Query1:
index=test-index "ERROR" Code=OPT OR Code=ONP |bin _time span=1d |stats count as TOATL_ONIP1 by Code _time.
Query2:
index=test-index "WARN" "User had issues with code" Code=OPT OR Code=ONP 
|search code_ip IN(1001, 1002, 1003, 1004)
|bin _time span=1d 
|stats count as TOATL_ONIP2 by Code _time.

Query3:
index=test-index "INFO" "POST" NOT "GET /authenticate/mmt"
|search code_data IN(iias, iklm, oilk)
|bin _time span=1d 
|stats count as TOATL_ONI3 by Code _time.

Combined query:
index=test-index "ERROR" Code=OPT OR Code=ONP |bin _time span=1d |stats count as TOATL_ONIP1 by Code _time
|appendcols
[|search index=test-index "WARN" "User had issues with code" Code=OPT OR Code=ONP 
|search code_ip IN(1001, 1002, 1003, 1004)
|bin _time span=1d 
|stats count as TOATL_ONIP2 by Code _time]
|appendcols
[|search index=test-index "INFO" "POST" NOT "GET /authenticate/mmt" Code=OPT OR Code=ONP 
|search code_data IN(iias, iklm, oilk)
|bin _time span=1d 
|stats count as TOATL_ONI3 by Code _time]
|eval Start_Date=srftime(_time, "%Y-%m-%d")
|table Start_Date Code TOATL_ONIP1 TOATL_ONIP2 TOATL_ONIP3

Output for individual query1:

Start_DateCodeTOTAL_ONIP1
2025-04-01OPT2
2025-04-02OPT4
2025-04-03OPT0
2025-04-01ONP1
2025-04-02ONP2
2025-04-03ONP3


Output for individual query2:

Start_DateCodeTOTAL_ONIP2
2025-04-01OPT0
2025-04-02OPT0
2025-04-03OPT0
2025-04-01ONP4
2025-04-02ONP2
2025-04-03ONP3


Output for individual query3:

Start_DateCodeTOTAL_ONIP3
2025-04-01OPT0
2025-04-02OPT0
2025-04-03OPT9
2025-04-01ONP0
2025-04-02ONP6
2025-04-03ONP

8


Combined query output:

Start_DateCodeTOTAL_ONIP1TOTAL_ONIP2TOTAL_ONIP3
2025-04-01OPT249
2025-04-02OPT426
2025-04-03OPT138
2025-04-01ONP2  
2025-04-02ONP3  
2025-04-03ONP  

 


When we combine the query the count is not matching with the individual queries.
For example: on April1st for ONP for TOTAL_ONIP2 is 4 but in combined one it is showing null,  and 4 value updated in OPT april 1st 

Labels (1)
Labels
0 Karma
Reply

livehybrid
Super Champion
a week ago

Hi @Ram2 

Another approach would be to use a single query without any subsearch/apppend etc:

index=test-index (("ERROR" Code=OPT OR Code=ONP) OR ("WARN" "User had issues with code" Code=OPT OR Code=ONP code_ip IN(1001, 1002, 1003, 1004)) OR ("INFO" "POST" NOT "GET /authenticate/mmt" Code=OPT OR Code=ONP code_data IN(iias, iklm, oilk))) 
| bin _time span=1d 
| eval TOATL_ONIP1=if(match(_raw, "ERROR") AND (Code="OPT" OR Code="ONP"), 1, 0) 
| eval TOATL_ONIP2=if(match(_raw, "WARN") AND match(_raw, "User had issues with code") AND (Code="OPT" OR Code="ONP") AND code_ip IN(1001, 1002, 1003, 1004), 1, 0) 
| eval TOATL_ONIP3=if(match(_raw, "INFO") AND match(_raw, "POST") AND NOT match(_raw, "GET /authenticate/mmt") AND (Code="OPT" OR Code="ONP") AND code_data IN(iias, iklm, oilk), 1, 0) 
| stats sum(TOATL_ONIP1) as TOATL_ONIP1 sum(TOATL_ONIP2) as TOATL_ONIP2 sum(TOATL_ONIP3) as TOATL_ONIP3 by Code _time 
| eval Start_Date=strftime(_time, "%Y-%m-%d") 
| table Start_Date Code TOATL_ONIP1 TOATL_ONIP2 TOATL_ONIP3

This determines the ONIP number based on fields in the event and then does a stats to count each ONIP by Code.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a week ago

That's more or less what I was talking about 🙂

0 Karma
Reply

livehybrid
Super Champion
a week ago

Ah @PickleRick yes spot on. Sorry hadnt seen your reply but seems like we are thinking along the same lines!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
a week ago

appendcols does not correlate values from existing columns, try using append and then final stats with values() and by Start_Date and Code

index=test-index "ERROR" Code=OPT OR Code=ONP |bin _time span=1d |stats count as TOATL_ONIP1 by Code _time
|append
[|search index=test-index "WARN" "User had issues with code" Code=OPT OR Code=ONP 
|search code_ip IN(1001, 1002, 1003, 1004)
|bin _time span=1d 
|stats count as TOATL_ONIP2 by Code _time]
|append
[|search index=test-index "INFO" "POST" NOT "GET /authenticate/mmt" Code=OPT OR Code=ONP 
|search code_data IN(iias, iklm, oilk)
|bin _time span=1d 
|stats count as TOATL_ONI3 by Code _time]
|eval Start_Date=srftime(_time, "%Y-%m-%d")
|stats values(TOATL_ONIP1) as TOATL_ONIP1 values(TOATL_ONIP2) as TOATL_ONIP2 values(TOATL_ONIP3) as TOATL_ONIP3 by Start_Date Code
Reply

PickleRick
SplunkTrust
SplunkTrust
a week ago

Be also aware of the subsearch limitations. You can't run them for long and they have a limit for returned results. So if you run them over a big data set you might get incomplete results and since the subsearches will get silently finalized you won't even know about it.

So i  your case it would probably be better to search for all matching events initially and tag them according to matching specific set of conditions using conditional field assignment ( | eval something=if( [...] ))

Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...