Getting Data In

Appendcols - Issue in the output of the query

vn_g
Path Finder

Query1 : index="*" earliest=-1mon@mon latest=@mon
| stats count

O/P : 25,419,925,723

Query2 : index="*" earliest=-2mon@mon latest=-1mon@mon
| stats count as Twomonthsbeforecount
| appendcols
[ search index="*" earliest=-1mon@mon latest=@mon
| stats count as Onemonthbeforecount ]
| eval Difference=Onemonthbeforecount-Twomonthsbeforecount
| table Difference Onemonthbeforecount Twomonthsbeforecount

O/P :

DifferenceOnemonthbeforecountTwomonthsbeforecount
-2654151775516952487526711042630

 

Query 1 output should match the Query 2 "Onemonthbeforecount " column value, but why is it differing? Am i missing out something to check?

Labels (1)
Tags (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @vn_g,

Can you try with tstats?

| tstats count as Twomonthsbeforecount where index="*" earliest=-2mon@mon latest=-1mon@mon
| appendcols
[ tstats count as Onemonthbeforecount where index="*" earliest=-1mon@mon latest=@mon ]
| eval Difference=Onemonthbeforecount-Twomonthsbeforecount
| table Difference Onemonthbeforecount Twomonthsbeforecount
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @vn_g,

Can you try with tstats?

| tstats count as Twomonthsbeforecount where index="*" earliest=-2mon@mon latest=-1mon@mon
| appendcols
[ tstats count as Onemonthbeforecount where index="*" earliest=-1mon@mon latest=@mon ]
| eval Difference=Onemonthbeforecount-Twomonthsbeforecount
| table Difference Onemonthbeforecount Twomonthsbeforecount
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

vn_g
Path Finder

Yes, this helped. Thankyou so much

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Is your subsearch getting truncated due to limits on subsearches?

0 Karma

vn_g
Path Finder

No I don’t see any DAG execution error 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...