Splunk Search

## How to stats events for solving this problem please?

Motivator

hello

I stats events after 2 eventstats command like this

``````| eventstats sum(netp) as "netp1" by site
| eventstats sum(netp) as "netp2" by site user
| stats last(netp1) as "netp1", last("netp2") as "netp2" by site user``````

But I know it's not good because I am doing  a chart and the sum of netp and the sum of netp2 are not the same because for a same site it may have many user but in my bar chart there is just one user display

the bar in red correspond to netp2 and the bar in blue to ntp2

So the problem is on my bar in blue which has to have the same sum than the bar in red

How to stats events for solving this problem please?

Labels (1)
• ### other

Tags (3)
1 Solution
SplunkTrust

Correct - the red bar represents the count for the site, and the blue bar represents the count for one of the users of the site, so where there are more than one user for a site, you will get multiple sets of bars for the site.

Motivator

SplunkTrust

Clearly there are other columns in the chart - what are the x-axis labels for the columns

Also, what do you get if you add this to the search

``| stats count by site``
Motivator

the x-axis labels correspond to the site field

When Iam doing | stats count by site I have a count = 1 for almost all the site except 2 sites

For the 2 sites, it just means that there are 2 users concerned instead 1

SplunkTrust

Are these two sites where there is an issue? Or, do you get the issue for all of the sites?

Motivator

Most of the time there is just one user for one site

So in this case, my chart is correctly displayed

In red it's the sum count by site and in blue the sum count by user

But if there is more than one user, my chart is wrong

the bar chart for the sum count by site and the sum count by user are always to be the same even if there is more than one user...

SplunkTrust

So the second and third blue add up to the red in both second and third, and the eighth and nine blue ad up to the red in both eighth and ninth. This is to be expected as both these sites have two users.

Motivator

so according to you there is no solution to display the bar chart as I need?

SplunkTrust

Correct - the red bar represents the count for the site, and the blue bar represents the count for one of the users of the site, so where there are more than one user for a site, you will get multiple sets of bars for the site.

SplunkTrust

If user is null in some of your events they will still be counted as part of netp1 but won't appear in netp2

Motivator

I am sure it's not the problem

In my example I can see for a same site 2 users with 2 different sum of ntp2

So in my chart the sum of these 2 ntp2 has to be the same than ntp1

but the sum is different because in the bar chart for ntp2 there is just one user

so there is a problem in the way of stats events I think?

SplunkTrust

Try this

``````| where isnotnull(user)
| eventstats sum(netp) as "netp1" by site
| eventstats sum(netp) as "netp2" by site user
| stats last(netp1) as "netp1", last("netp2") as "netp2" by site user``````
Motivator

it changes anything...

SplunkTrust

Not sure what you mean by that

If your results are not what you expect, you need to look at your data and figure out what it is about your data that is producing the results you are getting.

For example, if user is a multi-value field, netp2(siteA, userX) + netp2(siteA, userY) could be greater than netp1(siteA)

Try reducing your data set until the inconsistency goes away, then increase it until the inconsistency comes back and have a look at the differences between the two data sets to try and isolate where the difference is coming from.

Motivator

sorry i dont understand

I share you the search if you can have a look please

https://www.cjoint.com/c/LEnfNGp6MEB

thanks

SplunkTrust

There doesn't appear to be anything wrong with the search

Therefore, if the results are not as you are expecting, there is a mismatch between your expectations and the data you are dealing with.

Try reducing the data set to a more manageable size to see at what point the outcome matches or doesn't match your expectations

Motivator

I have done a lot of debuging but I am going to continue again...

Don't you thing we can do the job with a subsearch in order to workaround the issue?

SplunkTrust

I don't understand what the issue is so I wouldn't know how a subsearch would help or not.

SplunkTrust

You are overwriting the value of netp in the first eventstats - try changing the order

``````| eventstats sum(netp) as "netp2" by site user
| eventstats sum(netp) as "netp" by site
| stats last(netp) as "netp", last("netp2") as "netp2" by site user``````
Motivator

yes but its just because I have modified the code for the example and I have mistaken...

so in my original code, its not the case

so the root cause of my problem is not due to this...

SplunkTrust

Get Updates on the Splunk Community!