Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Seeing difference in count between stats and timechart command?

dtccsundar
Path Finder
‎11-25-2022 02:04 AM

Hi ,

I am facing difference in count between stats and timechart for same search and same filters

Stats cmd : Last 24 hours

search|bin span=1d _time |stats count by Status|eventstats sum(*) as sum_* |foreach * [eval "Comp %"=round((count/sum_count)*100,2)]|rename count as Count|fields - sum_count

comp 7126
error37
Noncomp146
NonRep54
Total7363


Timechart :  Last 30 days 

search|bin span=1d _time |timechart count by Status| addtotals| eval "Comp %"=round((Comp/Total)*100,2) | eval "Error %"=round((Error/Total)*100,2) | eval "Noncomp %"=round((Noncomp/Total)*100,2) | eval "NonRep %"=round((NonRep/Total)*100,2) | fields _time,*%

comp 7126
error36
Noncomp146
NonRep53
Total7361


There is difference in count by 2 between these 2 functions.I am using a macro before the time chart or stats .Please help me with solution or cause of this issue. 

 

Labels (2)
Labels
Tags (2)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-27-2022 02:41 PM

Your searches and your data examples don't seem to correlate.

Firstly you are not splitting by _time in your stats, so the stats command will give you a single set of stats by Status for the last 24 hours. Your bin _time is redundant. If you want to use bin with stats, you need to also use _time in the by clause, e.g.

|stats count by _time Status

Depending on when you are running the search and if the latest part of the search is anchored to a fixed time, it will vary every time you run it.

Your timechart search is producing percentage values, not counts.

Can you clarify exactly what your earliest and latest search criteria are for these two searches

0 Karma
Reply

dtccsundar
Path Finder
‎11-27-2022 04:32 PM

I am not using earliest and latest in search .

But my requirement is for last 24 hours for stats and last 30 days for timechart .For time chart it will be selected in filter .

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-27-2022 06:58 PM

Every search has an earliest and latest time range - it's a fundamental requirement for any search. It's either set by a time picker of specified in the search directly.

Last 24 hours in Splunk will typically mean -24h@h to "now", so it will be somewhere between 24 and 25 hours whereas your timechart will be working on day boundaries, because you have defined the time group to be a span of 1 day, so will be from midnight to midnight.

You need to make sure you are comparing comparable time ranges. "Last 24 hours" will never be the same time range as a 30 day time range

If you want "last 24 hours" to mean "yesterday", then your time range needs to be -d@d  for the earliest time and @d for the latest time range in the time picker

0 Karma
Reply

dtccsundar
Path Finder
‎11-27-2022 07:39 PM

I understand this .But I am using data warehouse view as source for the sourcetype using db connect .

It will have a static value for a particular day .But I am not sure why I am seeing difference between stats and timechart .

When I select yesterday in timechart it shows exact match with stats count .But when I select more than one day it shows difference .

It's strange but this is what iam getting .

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...