Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stricter search gives me more results...what?

rlough
Path Finder
‎02-11-2015 03:07 PM

I have a query that looks like this

index=*ind* ((source=*src1.log field=NAME) OR (source=*src1.log field=STRING)) | eventstats count(eval(field=="NAME")) AS f1 count(eval(field=="STRING")) AS f2 by users | where f1 < 1 AND f2 > 0 | dedup users | table users

The above returns something like 2000 statistics, but when I remove AND f2 > 0 and query along the exact same timeframe I get around 100 less statistics.

Why would making a search stricter ever return more results? This doesn't make sense.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hortonew
Builder
‎02-11-2015 03:44 PM

I think it might be treating that as a single expression rather than two separate expressions.

Either try: where (f1 < 1) AND (f2 > 0)
or
where f1 < 1 | where f2 > 0

and see what the results look like

View solution in original post

Reply
Solved! Jump to solution
Solution

hortonew
Builder
‎02-11-2015 03:44 PM

I think it might be treating that as a single expression rather than two separate expressions.

Either try: where (f1 < 1) AND (f2 > 0)
or
where f1 < 1 | where f2 > 0

and see what the results look like

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...