Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Transaction on unique field reduces events?

salokin_
Engager
‎05-18-2020 05:50 AM

Hello,
I don't understand the following behaviour and am looking for a solution. The following example is somewhat simplified, but still contains the "error"

(admission-controller.cc AND pool_name="*")
| stats dc(id)

> 28.635

The above code selects some events and counts the unique ids. In this case 28.635. 

(admission-controller.cc AND pool_name="*")
| transaction id
| stats dc(id)

> 4.999

This code now uses transaction on id. In my understanding, as there are 28.635 different ids, the result of the second statement should be the same as the first one. But it isn't, it's less with 4999 instead. Could someone please explain why and offer a solution?

Best regards
Nikolas

0 Karma
Reply

salokin_
Engager
‎05-18-2020 07:48 AM

solved it, with keepevicted=true it produces the same results.

The complete code of the second statement then looks like that:

(admission-controller.cc AND pool_name="*")
     | transaction id keepevicted=true
     | stats dc(id)

28635

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...