Weird result when using *| dedup somthing | timec...

RadishBu · ‎11-12-2020

Hi I am now creating splunk dashboard, but I am facing a weird result that I am really confused:

I tried two queries:

query1: * | dedup somthing | timechart count(somthing) as total

query2: * | timechart distinct_count(something) as total

In my understanding, these two queries should give me total number of distinct "something" in every bucket.

But the thing is I get different result:

for example I use last 7 day time range:

I get this:

query1: 1,1,0,0,1,1,3

query2: 1,3,0,0,1,4,3

Actually query 2 is correct. I do have 3 and 4 "something" at day2 and day 6.

So what is the difference between these two queries??

ITWhisperer · ‎11-13-2020

Query 1 has dedup'd across the whole result set so the timechart is counting how many of the unique things have been found on each day.

Query 2 is counting how many different things happened each day.

Dedup'ing right to left

Weird result when using *| dedup somthing | timechart count