Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Same query is giving diff count in dashboard panel and search

Punnu
Path Finder
2 weeks ago

Hello All , 
I am running one query  and exactly sme query I am trying to run from search but I am getting diff counts . 

```query for apigateway call```
index=aws_np earliest=1746540480 latest=1746544140  Method response body : sourcetype="aws:apigateway"
| rex field=_raw "Method response body : (?<json>[^$]+)" 
| spath input=json path="header.messageID " output=messageID  
| spath input=json path="payload.statusType.code" output=status 
| spath input=json path="payload.statusType.text" output=text 
| spath input=json path="header.action" output=action 
| where status=200   
| rename _time as request_time 
    ```dedupe is added to remove duplicates ```
| dedup messageID 
| append 
    [ search index="aws_np"   earliest=1746540480 latest=1746558480   
| rex field=_raw "messageID \": String\(\"(?<messageID >[^\"]+)" 
| rex field=_raw "source\": String\(\"(?<source>[^\"]+)" 
| rex field=_raw "type\": String\(\"(?<type>[^\"]+)" 
| rex field=_raw "detail-type\": String\(\"(?<detail_type>[^\"]+)"
| where  source="XXX"   and type="XXXXX" and detail_type="XXXX" 
|  stats distinct_count(  messageID ) as cnt_guid   by messageID  ,_time ``` by time is added because we are duplicate records of same time and guid ```
| stats count(cnt_guid) as published_count  by messageID  
| dedup messageID  
| fields messageID ,  published_count
    ] 
| stats  values(action) as request_type sum(published_count) as published_count2   by messageID 
|   where isnotnull(request_type)  
|  eventstats sum(published_count2) by request_type| dedup request_type
| search request_type="Create" OR request_type="Update"
| head 2
|  fields sum(published_count2)  request_type

 

 

So I ran query from dashboard panel  and then used RUN Search option to run it direclty but I am getting diff count . Search is giving correct result . Dashboard is giving less 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
Super Champion
2 weeks ago

Hi @Punnu 

Are you running the search manually from the same app context as the dashboard? 

It could be that certain field extractions etc work differently if there is an app-context field eval, for example.

Are there any warnings when running it in the UI via the search bar?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
2 weeks ago

How long is your search taking - you are searching a 61 minute window in your outer search and a 5 hour window in your append.

Is the search in your dashboard part of a base search?

How long do each of the individual searches take and if you put both of those individual searches into a dashboard as individual searches, so they give the correct result counts vs. running it as a search directly.

0 Karma
Reply

Punnu
Path Finder
a week ago

Hello @bowesmana Yes outer query is for 1 hr and inner is for 5 hrs . Are u saying these two in separate panel and use result of these in third one and append it ?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
a week ago

You didn't answer how long your search is running for - I didn't mean the time range, I mean the amount of time the search takes to run. Also, see the other questions.

I'm suggesting you split out the searches just to experiment if both are giving the correct count when run individually in the dashboard AND in a manual search.

If you shorten the time window do the results then work.

You will need to provide more detail. Look at the search job properties and look at result count and scanCount.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...