Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: What is the difference between rare vs stats v...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to find least common agent useing two commands:
1) sourcetype=access_combined| rare useragent
2) sourcetype=access_combined| stats values(useragent) count by useragent | sort count
And I get different results, because second one finds more results.
Can someone please clarify the difference in the way those commands work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rare defaults to the 10 rarest so the percentages will be all wrong; these should be the same
sourcetype=access_combined| rare 9999 useragent
sourcetype=access_combined| stats count BY useragent | sort 9999 count
And these:
sourcetype=access_combined| rare useragent
sourcetype=access_combined| stats count BY useragent | sort 10 count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rare defaults to the 10 rarest so the percentages will be all wrong; these should be the same
sourcetype=access_combined| rare 9999 useragent
sourcetype=access_combined| stats count BY useragent | sort 9999 count
And these:
sourcetype=access_combined| rare useragent
sourcetype=access_combined| stats count BY useragent | sort 10 count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
As mentioned in the documentation, rare displays the least common values of a field and by default displays "rare" 10 values. If the "by clause" is specified, this command returns rare tuples of values for each distinct tuple of values of the group-by fields.
http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Rare
Whereas values returns the list of all distinct values of the field X as a multivalue entry.
http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Multivaluefunctions#values.28X.29
In short rare is opposite of top
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah thats is why I tried to compare least common values of a field with distinct values of the field in descending order. The results seem to be the same now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could it be because you ran it after the rare search, and by then the results were different due to additional data coming in? I would make a dashboard with both searches, each in their own panel, that way they run at the same time. Or, rerun the first search to see if that searches results have changed as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Edit : Done one dashboard with shared time-picker and the results are the same 🙂
Must have been my mistake.
Thanks.
That was my idea at first, so I've set a time-picker to show results from the same hour and run commands.
Still the same difference.
Must be something in the way those commands work, but can not find any detailed info on the mechanism.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
