Dashboards & Visualizations

Why does search return incorrect dc count?

Dzmitry
Explorer

Hi Team,

I noticed that for some hosts search returns incorrect dc count:

1) the query to dc count ids when status is failed
index=".." exec_mode="..." host_name="test_host" status="failed" | stats  dc(id) AS failed BY host_name | table host_name failed (returns 1)

2)  the query to dc count ids when status is skipped or passed

index="..." exec_mode="..." host_name="test_host" (status="skipped" OR status="passed") | stats  dc(id) AS pass_skip BY host_name | table host_name pass_skip (returns 234)

3) the query to dc count every id 

index="..." exec_mode="..." host_name="test_host" | stats dc(id) AS executed BY host_name | table host_name executed (returns 234)

but I expect that query #3 returns sum queries 1 (failed) and 2 (skipped and passed) : 1 + 234 = 235
the I try to play with statuses in the query to get the total ids dc count
4) index="..." exec_mode="..." host_name="test_host" (status="failed" OR status!="failed") | stats  dc(id) AS failed BY host_name | table host_name failed ( it returns also 234)

Only 10% of hosts have such odd search behavior,  for another 90% total = failed + passed/skipped

Thank you in advance!

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Dzmitry,

what's the result (always in the same time period) of :

index="..." exec_mode="..." host_name="test_host" (status="failed" OR status="skipped" OR status="passed") 
| stats  dc(id) AS pass_skip BY host_name status
| stats sum(pass_skip) AS total BY status

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Dzmitry,

which time period did you used?

don't use a rtime period containing latest=now, but a closed time period: e.g. yesterday, earliest=-h@h latest=@h.

To be sure that the number of events is fixed.

Ciao.

Giuseppe

0 Karma

Dzmitry
Explorer

Hi @gcusello

I use "Last 7 days" 

I tried "Date range" and "Date & Time range" "Advanced" and got same issue

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Dzmitry ,

please try, always using a fixed and closed time (e.g. last week) the following search and see if the results are correct:

index="..." exec_mode="..." host_name="test_host" (status="failed" OR status="skipped" OR status="passed") 
| stats  dc(id) AS pass_skip BY host_name 
| table host_name pass_skip

if they are correct means that you have events outside the three types you're using in your searches.

ciao.

Giuseppe

0 Karma

Dzmitry
Explorer

Unfortunately, it doesn't help.
I get the same result for queries with (status="skipped" OR status="passed") and (status="skipped" OR status="passed" OR status="failed"), tried all fixed time ranges. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Dzmitry,

what's the result (always in the same time period) of :

index="..." exec_mode="..." host_name="test_host" (status="failed" OR status="skipped" OR status="passed") 
| stats  dc(id) AS pass_skip BY host_name status
| stats sum(pass_skip) AS total BY status

Ciao.

Giuseppe

Dzmitry
Explorer

Thank you and Merry Christmas😃
final version 
index="..." exec_mode="..." host_name="..." (status="skipped" OR status="passed" OR status="failed") | stats dc(id) AS executed BY host_name status | stats sum(executed ) AS total BY host_name

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Dzmitry,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...