Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search - count by 2 fields

madhav_dholakia
Contributor
‎06-20-2020 09:26 PM

Hello,

I have a live database feed through DB Connect. This feed is having incidents data for different teams and _time is set to last_updated.

I am trying to find count of different incident statuses by Teams , I am trying below search (with time-picker set to last 6 months) but it is not showing correct numbers:

index=idx_1 source="idx_src_1" sourcetype="idx_srctype_1"
| rename COMMENT as "sorting data in descending order and removing duplicates by keeping the latest record for each incident id"
| sort -lastUpdate
| dedup incID 
| rename COMMENT as "to get the count of incidents for each team by incident status"
| chart count by incStatus,teamName

but if I specify a team name in the search, it gives correct numbers:

index=idx_1 source="idx_src_1" sourcetype="idx_srctype_1" teamName="Team1"
| rename COMMENT as "sorting data in descending order and removing duplicates by keeping the latest record for each incident id"
| sort -lastUpdate
| dedup incID 
| chart count by incStatus,teamName

 Can someone please suggest me on how to resolve this.

Thank you.

Madhav

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

robinsonalex88
Explorer
‎06-22-2020 10:41 AM

How many events are being looked at when teamName is not specified?  The sort command has a default limit of 10000 results so you may have been hitting that limit looking at all teams.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-21-2020 05:10 AM
Have you tried specifying "teamName=*" in the base query?
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

madhav_dholakia
Contributor
‎06-22-2020 06:32 AM

Hi,

I have just removed sorting based on lastUpdate from the query I posted in my question and then it is giving correct result.

index=idx_1 source="idx_src_1" sourcetype="idx_srctype_1"
| rename COMMENT as "removed sorting data in descending order and only kept dedup for incident id"
| dedup incID 
| rename COMMENT as "to get the count of incidents for each team by incident status"
| chart count by incStatus,teamName

I do not understand this behavior but it somehow worked.

Thank you.

0 Karma
Reply
Solved! Jump to solution
Solution

robinsonalex88
Explorer
‎06-22-2020 10:41 AM

How many events are being looked at when teamName is not specified?  The sort command has a default limit of 10000 results so you may have been hitting that limit looking at all teams.

0 Karma
Reply
Solved! Jump to solution

madhav_dholakia
Contributor
‎06-22-2020 10:46 PM

Thank you, @robinsonalex88 - yes, there were 20k+ events and I was using | sort without specifying "0". After I added "| sort 0 -lastUpdate", it works fine and gives correct numbers.

So just for my understanding, if we use just "| sort" and have more than 10k+ events, it will consider only those events to get the results, correct?

Thank you.

0 Karma
Reply
Solved! Jump to solution

robinsonalex88
Explorer
‎06-23-2020 05:43 AM

@madhav_dholakiayes if no limit is specified with the |sort command then it will only return 10k results.  So your subsequent |dedup and |chart commands were only looking at 10k results instead of the full data set returned by the initial search.

Tags (1)
Reply
Solved! Jump to solution

madhav_dholakia
Contributor
‎06-23-2020 05:48 AM

Thank you @robinsonalex88 

0 Karma
Reply
Solved! Jump to solution

madhav_dholakia
Contributor
‎06-22-2020 01:17 AM

Thank you. I have tried this but still not getting correct numbers.

0 Karma
Reply
Get Updates on the Splunk Community!

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...