Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How would I fix my search not counting correctly?

fpedrosa
Engager
‎10-27-2022 02:19 PM

Hello y'all!

I'm trying to use the Single Value object, and build a search which count the number of the records and shows up.. but, for some reason it's not bring the right number..

Here is my search:

 

 

index=redhatinsights 
  | spath 
  | spath path=events{} output=events
  | stats by _time, events, application, event_type, account_id, context.display_name
  | mvexpand events 
  | eval _raw=events
  | kv
  | table _time
  | where relative_time(now(), "-30d") <= _time
  | timechart span=30d count(_time) as count
  | appendpipe [| stats count | where count=0 | addinfo | eval time=info_min_time." ".info_max_time | makemv time | mvexpand time | table time count | rename time as _time ]

 

 

 

for some reason is not bring all the records, and this time range doesn't make any affect to the result:

fpedrosa_0-1666905520723.png


What's is the right way to use this object and bring the total count of the records in the last 30 days?

Thanks!

 

 

Labels (3)
Labels
0 Karma
Reply

johnhuang
Motivator
‎10-27-2022 02:51 PM

Make sure you correctly account for the values that were deduped by stats and the expansion of events into multiple records.

This is a more efficient way to replicate your search.

 

index=redhatinsights earliest=-30d@d
| spath 
| spath path=events{} output=events
| eval event_ct=MVCOUNT(event)
| timechart span=30d sum(event_ct) AS event_ct

 

 

 

0 Karma
Reply

fpedrosa
Engager
‎10-28-2022 10:49 AM

Hi @johnhuang  thanks for your reply. Unfortunately not worked here.. using your code like this:

earliest=-30d@d
| spath 
| spath path=events{} output=events
| eval event_ct=MVCOUNT(event)
| timechart span=30d sum(event_ct) AS event_ct

Brings 0 (zero) even with records there.. I tried to change like this:

 earliest=-30d
  | spath 
  | spath path=events{} output=events
  | stats by _time, events
  | mvexpand events 
  | eval _raw=events
  | kv
  | table _time
  | timechart span=30d aligntime=latest count(_time) as event_cnt

 

show some numbers, but not the right ones..

0 Karma
Reply

johnhuang
Motivator
‎10-28-2022 10:52 AM

Sorry there was a typo. Change event to events.

| eval event_ct=MVCOUNT(events)

0 Karma
Reply

fpedrosa
Engager
‎11-01-2022 09:36 AM

@johnhuang  mvcount  if there isn't any record, this search returns "no result"  for the Single Value, so, it's showing like this:

fpedrosa_0-1667320574891.png

Do you know, if is possible to bring just 0  when there's no record?

0 Karma
Reply

fpedrosa
Engager
‎10-28-2022 11:23 AM

Thanks again @johnhuang   appears it's going somewhere.. 🙂

Running your search I'm getting this on "Search":

fpedrosa_0-1666981884394.png

 

 

I'm wondering if we need to have only "one" result with the all number... or I misunderstood something here?

0 Karma
Reply

johnhuang
Motivator
‎10-28-2022 11:31 AM

It doesn't seem like your events are multivalued? In which case this should give you the same results:

index=redhatinsights earliest=-2mon@mon
| timechart span=1mon count AS event_ct

 

0 Karma
Reply

fpedrosa
Engager
‎10-28-2022 11:38 AM

In my case some record may have multivalues events, or only one event... using  your last search, I'm getting several returns, not just one return with the count, and the numbers are pretty different too..

fpedrosa_0-1666982696270.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...