Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk return different event count in verbose vs fast mode using "where"

marcoscala
Builder
‎03-17-2016 07:22 AM

Hi!
I'm having a problem with the following simple search in Splunk 6.3.3:

index=myIndex sourcetype=mySourcetype earliest="03/09/2016:08:00:00" latest="03/09/2016:18:00:00" 
| eval time=strftime(_time,"%H:%M") | eval day=strftime(_time,"%d/%m/%Y")  
| stats first(verso) as FirstVerso first(time) as FirstTime by day,badge_id  
| where FirstVerso=1 | stats count as "Users In"

All events have the badge_id and verso fields
If i run it in Verbose Mode, I get 80 results: running the same search in Fast Mode I get 240 results. The problem is with the "where FirstVerso=1" condition: if I omit this check, I get always the same number of results (325) both in Verbose and Fast mode.

Suggestions?!?!

Regards,

Reply

marcoscala
Builder
‎03-18-2016 01:09 AM

alt text

Here's a screenshot of my actual searches in Verbose and Fast mode.

Preview file
242 KB
0 Karma
Reply

Runals
Motivator
‎03-17-2016 11:06 AM

For S&Gs try adjusting your initial search to 

index=myIndex sourcetype=mySourcetype earliest="03/09/2016:08:00:00" latest="03/09/2016:18:00:00" day=* badge_id=* verso=*
0 Karma
Reply

marcoscala
Builder
‎03-18-2016 12:53 AM

Hi Runals,
I just try your suggestions, but I still get the same odd behaviour....

0 Karma
Reply

somesoni2
Revered Legend
‎03-17-2016 07:44 AM

Are the field verso an custom extracted field OR is it automatically extracted by Splunk?

0 Karma
Reply

marcoscala
Builder
‎03-17-2016 08:49 AM

Hi!
No, there's a field extraction to extract those fields using a REPORT commando in props.conf.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...