Re: Stats Results After Upgrade

dpwtheitguy · ‎07-30-2021

All,

Just upgraded to 8.2.1 last night and noticed something today with stats.

# This search returns 160k+ events
index=netfw
162276

# This returns a 0 in Smart mode, this search returned data in 8.1.x how ever no data in 8.2.1
index=netfw | stats count
0

# Same search in Verbose mode however returns the count
index=netfw | stats count
162276

Shouldn't Smart mode have returned the count correctly also? It did work that way in 8.1

vivekarora · ‎07-30-2021

Yes, It should return the same result in both smart and verbose mode.

I am also using Splunk 8.2.1

Attaching the screenshot for your reference.

I am using index=snow, its returing 99 events.

When I am using stats command, index=snow|stats count in verbose mode, its showing same 99 events

If I am using same stats command in smart mode, its showing same result

index=snow | stats count

Hence, the output of stats command in smart and verbose mode in splunk 8.2.1 is same.

Stats Results After Upgrade

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation