Splunk Search

Event count mismatch when using using `field_name="*"` and `field_name!=""` in tstats query

Explorer

Why is there a difference between the number of events scanned in both these queries?
Using below query getting statistics count 25 and number of events (Events label below search query) as 214.

| tstats values(XXXX.product_name) as "Product Name" from datamodel=XXXX where (XXXX.threat_name="*") by XXXX.threat_name

But, Using

| tstats values(XXXX.product_name) as "Product Name" from datamodel=XXXX where (XXXX.threat_name!="") by XXXX.threat_name

getting statistics count same 25 and number of events (Events label below search query) as 5,468.

SplunkTrust
SplunkTrust

1) Are you running for a fixed time frame, such as earliest=-1d@d latest=@d?

2) Compare the output. Which threat_name are the events missing from?

0 Karma

Explorer

Thanks for your response DalJeanis.
Yes, I am running queries for a fixed time frame.
I have updated the question as per my research. please see the updated question.

0 Karma

SplunkTrust
SplunkTrust

A few things to check here:

  • you are using summareisonly in the tstats search, are the DMA searches running and summaries are available?
  • compare apples with apples, use your base search from the data model with your get-_index search
  • talking of base search: does it return the expected results?
  • Knowledge objects available to the DMA searches?
  • permissions?

Just a starting point, but good to check ...

cheers, MuS

0 Karma

Explorer

Thanks for the answer MuS.
I have updated the question as per my research and found the problem in this scenario.

0 Karma