Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Weird result when using *| dedup somthing | timechart count

RadishBu
New Member
‎11-12-2020 05:28 PM

Hi I am now creating splunk dashboard, but I am facing a weird result that I am really confused:

I tried two queries:

query1: * | dedup somthing | timechart count(somthing) as total

query2: * | timechart distinct_count(something) as total

In my understanding, these two queries should give me total number of distinct "something" in every bucket.

But the thing is I get different result:

for example I use last 7 day time range:

I get this:

query1: 1,1,0,0,1,1,3

query2: 1,3,0,0,1,4,3

 

Actually query 2 is correct. I do have 3 and 4 "something" at day2 and day 6.

 

So what is the difference between these two queries??

 

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-13-2020 12:06 AM

Query 1 has dedup'd across the whole result set so the timechart is counting how many of the unique things have been found on each day.

Query 2 is counting how many different things happened each day.

Day1234567
dcga,b,f  ea,b,c,da,b,c
dedupgf  eda,b,c

Dedup'ing right to left

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...