Splunk Search

Search And Report Discrepency

ostoul
Engager

Hi,

I have a search that looks kinda like this:

host=host1 OR host=host2 AND (errcode=E OR errcode=R) | dedup punct

when i run this for Thursday the 24th - i get 22 results.

However, when i add | timechart count, that day, it counts only 1 entry.. so if i click on the bar for that day, which says it counts 1 - the search that pops up has 22 entries!

I don't know what i'm doing wrong, but i suspect it's not counting the right thing.. i did try count(_raw) but that did not change anything, still got 1 in the report and 22 results for the search.

Thank you very much, Oleg

Tags (2)

sideview
SplunkTrust
SplunkTrust

Well, the events you're searching over are probably only in the most recent hour, and maybe even all in a single second. This is due to the dedup punct you're using which is going to reduce the set to only 22 pretty recent events. Each event in those 22 has a distinct value of punct. And if it reduces the set to a single second, that would explain why timechart is showing only a single bucket.

I dont think you're doing anything wrong necessarily, you're just maybe reading it wrong: what | timechart count does is that it rolls up the rows into evenly spaced time periods, and it has a 'count' field for each period.

If you look down at the table I bet you'll see that in your 1 row, there's a _time column that's probably a single second, and there's a count column that probably says 22.

remove the dedup punct and I bet now the timechart will fill with lots of rows. Again however the number of rows (and hence the number of 'results' the header talks about) is going to be the number of time-buckets, which is a number not related to the number of events across those buckets.

hth

0 Karma

sideview
SplunkTrust
SplunkTrust

One other idea, is that instead of using the dedup command and then piping to "timechart count", you might get some mileage out of "timechart dc(punct)", which will show distinct counts for each punct.

0 Karma

ostoul
Engager

I actually just figured it out the moment i posted it. It's much simpler than i was thinking.

I was deduping over punct on the weekly set, so it would remove any of tuesday's punct duplicates if they occured on monday. so deduping over punct,date_mday solved this.

This way it dedups punct on each day in question, not over the whole set.

/dumb

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...