Splunk Search
Highlighted

Stats Count not returning expected Results - Difference in count over single date and span covering same date

Path Finder

HI Guys,

Just noticed something a little strange,
I am running a query to cont the number of a certain transaction.
When I run this query for a set date say the 23rd of June, it returns about 5.5k results.
Yet if I run the query with a time chart over the span of 1 month, It returns double the results in the count.
When I click into the events from this search it shows the original number as returned by the search of just that day.

Would someone be able to answer why this occurs?
Search query for the single day is:

host=myComputer-* index=index "KeyPhrase" success=True NOT (Content=Test1 OR Content=Test2) Crm=myRequest|stats count

and for the monthly one I run:

host=myComputer-* index=index "KeyPhrase" success=True NOT (Content=Test1 OR Content=Test2) Crm=myRequest|timechart count

any help appreciated.
Thanks
Steve

0 Karma
Highlighted

Re: Stats Count not returning expected Results - Difference in count over single date and span covering same date

Esteemed Legend

By default, the timechart command will create "empty events" for timeslots with no data so that the spacing on the visualization will be even on the X-Axis. I assume this is what you are noticing.

0 Karma
Highlighted

Re: Stats Count not returning expected Results - Difference in count over single date and span covering same date

Path Finder

This would result in a double the number of events counted?
Like in my issue when I count the single day events it shows roughly 5.5k.
Yet when I run the monthly time chart search, it counts 11k roughly. as that days number of events.
I click into show events that returns the 11k and it resolves to 5.5k results on the day.

0 Karma
Highlighted

Re: Stats Count not returning expected Results - Difference in count over single date and span covering same date

Esteemed Legend

Are you saying that the field count is doubled? That makes no sense to me.

0 Karma
Highlighted

Re: Stats Count not returning expected Results - Difference in count over single date and span covering same date

Path Finder

yeah exactly, so my daily search returns a number or 5326 for the 23rd of June.
yet my search for the entire month of June, on the 23rd shows 10652.
I have this same issue for the following day as well. Yet all the rest of the days of the month or displayed as they should be - counts from timechart search match count from daily count.

0 Karma
Highlighted

Re: Stats Count not returning expected Results - Difference in count over single date and span covering same date

SplunkTrust
SplunkTrust

Can you try this to see if that makes any difference

host=myComputer- index=index "KeyPhrase" success=True NOT (Content=Test1 OR Content=Test2) Crm=myRequest | bucket span=1d _time | stats count by _time
0 Karma
Highlighted

Re: Stats Count not returning expected Results - Difference in count over single date and span covering same date

Path Finder

Nope still the same.
Returns the double value in the statistics tab, for count as 10652, and if I click into the day in questions events, 23rd of June, that returns the correct count of 5326.

Thanks for the input. It is a puzzling issue.

0 Karma
Highlighted

Re: Stats Count not returning expected Results - Difference in count over single date and span covering same date

Path Finder

If I change the monthly timechart search to a | stats count by date
it still returns the same wrong result for the dates in question.

0 Karma
Highlighted

Re: Stats Count not returning expected Results - Difference in count over single date and span covering same date

Esteemed Legend

The issue is surely that in chart case you are using date but in the timechart case you are using _time. If the date field is a multi-valued field with 2 values, then this will cause doubling. Is this what is happening?

0 Karma
Highlighted

Re: Stats Count not returning expected Results - Difference in count over single date and span covering same date

Path Finder

my understanding was the timechart was charting over a period of time, in this case a month, and creating buckets of 1 day for each of the 30.*.
if I do a stats count on that given date 23rd of June, it returns one result.
If i do a stats count by date (buckets of 1 day) over the month, i get the same doubled results.
Even if it was counting double when I click into show events surely then it would have doubled events ? rather than just the half the count value?

0 Karma