Splunk Search

Different search results quetion

johefu
Loves-to-Learn

Hello all,

Running the following search (direct count) at different times of the day for the same time period I receive different results;

sourcetype=x index=y access_method="Explicit Proxy"
| table app,category,activity,user
| dedup user
| stats dc(user) by app

I can use this search but also get different results for the same time period, last 90 days;

sourcetype=x index=y access_method="Explicit Proxy"
| table app,category,activity,user
| dedup user
| stats count by app

Results look like this;

Appdc(user)
app 1499
app236
app319

 

Any suggestions on what maybe my issue?

Thanks

 

Labels (1)
0 Karma

johefu
Loves-to-Learn

I am using the date range, 2/1 

johefu_0-1621537503219.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What time periods are you using, earliest and latest?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...