Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Issues with Sum(count) not showing a number, but total being correct.

bworrellZP
Communicator
‎09-09-2016 05:32 AM

Have a search that gives data, for "yesterday" with specific criteria. Trying to show results by Location, with counts by user per location. I get the counts, but it sometimes does not show a count.

Search is this. (data changed to protect the innocent 🙂 )

index=location |search LockedStatus=Locked |rename UserAccountEntry as User |stats count by Location User | stats values(User) as User values(count) as PerUser_count sum(count) as Total by Location | sort 10 -Total

alt text

If you look at DEF, for the 1258452 there is not a 1 in the per user count. Thoughts on why? (this happens every day, though location or user is different).

Thanks

Tags (1)
Preview file
21 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-09-2016 06:28 AM

values has an implicit dedup. Since both counts are 1, its gets deduped. Try using list instead.

index=location |search LockedStatus=Locked |rename UserAccountEntry as User |stats count by Location User | stats list(User) as User list(count) as PerUser_count sum(count) as Total by Location | sort 10 -Total

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎09-09-2016 06:28 AM

values has an implicit dedup. Since both counts are 1, its gets deduped. Try using list instead.

index=location |search LockedStatus=Locked |rename UserAccountEntry as User |stats count by Location User | stats list(User) as User list(count) as PerUser_count sum(count) as Total by Location | sort 10 -Total
0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...