Solved: Re: Timechart count with split-by not adding up

asetyyli · ‎07-17-2014

I have 191 events logged for a specific day.

When I do a

timechart span=1d count

I get count of 191 for that day as expected. But when trying to get a count of events split by a field

timechart span=1d count by userclass

the sum of columns generated according to the userclass add up to 194 (I have three userclasses, 100+26+68 = 194).

Is this a bug or am I missing something how the split-by clause works?

martin_mueller · ‎07-17-2014

Do any events have multiple userclass values?

Here's a dummy example:

| stats count | eval userclass = "foo bar baz" | makemv userclass | stats count by userclass

This generates one event with three userclass values, giving you a total of three after the final stats.

View solution in original post

martin_mueller · ‎07-17-2014

Do any events have multiple userclass values?

Here's a dummy example:

| stats count | eval userclass = "foo bar baz" | makemv userclass | stats count by userclass

This generates one event with three userclass values, giving you a total of three after the final stats.

martin_mueller · ‎07-17-2014

Done and done.

asetyyli · ‎07-17-2014

Yes, some of the userclass field values were multivalues by mistake. Thanks for the tip! Can you make an answer out of your comment, so I can accept it?

Timechart count with split-by not adding up

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...