Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why Stats count command is counting events that are missing in other searches?

abhijeetallu
Engager
‎09-11-2023 08:35 PM

The first search query returns a count of 26 for domain X :

index="web" sourcetype="weblogic_stdout" loglevel IN ("Emergency") | stats count by domain

 

But when I run the below query to just see the events corresponding to domain=X, I get zero events:

 index="web" sourcetype="weblogic_stdout" loglevel IN ("Emergency") domain="X"

 

Any clue why this might be happening

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-11-2023 09:25 PM

That generally means X is not X, i.e. if you put 

index="web" sourcetype="weblogic_stdout" loglevel IN ("Emergency") domain="*X*"

do you get results

If you do this in your first search

index="web" sourcetype="weblogic_stdout" loglevel IN ("Emergency")
| eval trimmed_domain=trim(domain)
| eval bounded_domain=":".domain.":"
| stats count by domain trimmed_domain bounded_domain
| eval trimmed_equal_domain=if(trimmed_domain=domain, "YES", "NO")

you may see whether you have leading or trailing spaces around X and if trimmed_equal_domain is NO, then there are leading/trailing spaces.

The bounded domain makes it easier to see what's what by adding : before and after

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-11-2023 09:25 PM

That generally means X is not X, i.e. if you put 

index="web" sourcetype="weblogic_stdout" loglevel IN ("Emergency") domain="*X*"

do you get results

If you do this in your first search

index="web" sourcetype="weblogic_stdout" loglevel IN ("Emergency")
| eval trimmed_domain=trim(domain)
| eval bounded_domain=":".domain.":"
| stats count by domain trimmed_domain bounded_domain
| eval trimmed_equal_domain=if(trimmed_domain=domain, "YES", "NO")

you may see whether you have leading or trailing spaces around X and if trimmed_equal_domain is NO, then there are leading/trailing spaces.

The bounded domain makes it easier to see what's what by adding : before and after

0 Karma
Reply
Solved! Jump to solution

abhijeetallu
Engager
‎09-14-2023 09:46 AM

Thank you so much ! it worked. I was clueless what was happening and all this time it was a trailing space character !

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...