Dashboards & Visualizations

Different number of events when querying over a 6-month period vs 1 month

Path Finder

I'm trying to create a table over a 6-month period, showing the number of items sold in each month (e.g. 10 ItemA & 20 ItemB in Jan, 15 ItemA & 10 ItemB in Feb, etc). However, when doing a comparison between the number of events returned and the values in the table, I found that there is a difference between the two. For example, the table shows 10 ItemA & 20 ItemB in Jan, but if I only query for Jan events, the actual number of events is 15 ItemA & 25 ItemB.

My query is

index=itemdb `macrotest` (name != "*itemA" AND name != "*itemB") | eval category = case(...) | eval fields = split(name,"_") | eval mname = mvindex(fields,1) | search category = "promo" | search mname = "itemC" | dedup f_1 f_2 | stats count by id _time

My query above is searching only for a specific item, in an attempt to troubleshoot.

If my time range is set to "Last 6 months", I get the following values in the table (showing only Oct, Nov and Dec here):
Oct = 18, Nov = 10, Dec = 11

If my time range is set to "During X 2019", where X is Oct, Nov and Dec, i.e. I search specifically during that month only, I get the following number of events:
Oct = 26, Nov = 14, Dec = 11

Missing events for Nov : 4 events on 30 Nov
Missing events for Oct : 5 events on 31 Oct, and 3 events on 27 Oct

I'm not sure why I get different results using the same query, if I change my time range.

0 Karma

Path Finder

I found that if I remove the dedup f_1 f_2 statement, the results match, regardless of whether the query was over 6 months or over a specific month. While I'm glad to finally get the same results, I don't understand why the dedup statement caused the mismatch, when it appears in both queries.

0 Karma
Get Updates on the Splunk Community!

Why am I unable to create dropdown static option that is "All" static options ...

Hi, I am trying to get a static option that is "All" the individual static options combined.  The mCode ...

Where can we set the script (host=CSG196) so can we deploy the script in host?

Hi  We face a challenge We have created one alert in which we are monitoring one of the windows service ...

Cannot push config from deployer to search head cluster

Hello,I recently upgraded our deployer/deployment server from 8.1.6 to version 9.0 and when I try to push ...