Re: My search doesn't count correctly

fpedrosa · ‎10-27-2022

Hello y'all!

I'm trying to use the Single Value object, and build a search which count the number of the records and shows up.. but, for some reason it's not bring the right number..

Here is my search:

index=redhatinsights 
  | spath 
  | spath path=events{} output=events
  | stats by _time, events, application, event_type, account_id, context.display_name
  | mvexpand events 
  | eval _raw=events
  | kv
  | table _time
  | where relative_time(now(), "-30d") <= _time
  | timechart span=30d count(_time) as count
  | appendpipe [| stats count | where count=0 | addinfo | eval time=info_min_time." ".info_max_time | makemv time | mvexpand time | table time count | rename time as _time ]

for some reason is not bring all the records, and this time range doesn't make any affect to the result:

What's is the right way to use this object and bring the total count of the records in the last 30 days?

Thanks!

johnhuang · ‎10-27-2022

Make sure you correctly account for the values that were deduped by stats and the expansion of events into multiple records.

This is a more efficient way to replicate your search.

index=redhatinsights earliest=-30d@d
| spath 
| spath path=events{} output=events
| eval event_ct=MVCOUNT(event)
| timechart span=30d sum(event_ct) AS event_ct

fpedrosa · ‎10-28-2022

Hi @johnhuang thanks for your reply. Unfortunately not worked here.. using your code like this:

earliest=-30d@d
| spath 
| spath path=events{} output=events
| eval event_ct=MVCOUNT(event)
| timechart span=30d sum(event_ct) AS event_ct

Brings 0 (zero) even with records there.. I tried to change like this:

 earliest=-30d
  | spath 
  | spath path=events{} output=events
  | stats by _time, events
  | mvexpand events 
  | eval _raw=events
  | kv
  | table _time
  | timechart span=30d aligntime=latest count(_time) as event_cnt

show some numbers, but not the right ones..

johnhuang · ‎10-28-2022

Sorry there was a typo. Change event to events.

| eval event_ct=MVCOUNT(events)

fpedrosa · ‎11-01-2022

@johnhuang mvcount if there isn't any record, this search returns "no result" for the Single Value, so, it's showing like this:

Do you know, if is possible to bring just 0 when there's no record?

fpedrosa · ‎10-28-2022

Thanks again @johnhuang appears it's going somewhere.. 🙂

Running your search I'm getting this on "Search":

I'm wondering if we need to have only "one" result with the all number... or I misunderstood something here?

johnhuang · ‎10-28-2022

It doesn't seem like your events are multivalued? In which case this should give you the same results:

index=redhatinsights earliest=-2mon@mon
| timechart span=1mon count AS event_ct

fpedrosa · ‎10-28-2022

In my case some record may have multivalues events, or only one event... using your last search, I'm getting several returns, not just one return with the count, and the numbers are pretty different too..

How would I fix my search not counting correctly?

chart

stats

timechart

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases