Splunk Search
Highlighted

Why count searchmatch return double counts?

the events data set looks like this:

2:05:34.067 PM 3DS: authvalidatesuccess Proceeding with payment authorization country=DE, currency=EUR
2:05:33.220 PM 3DS: authvalidate country=DE, currency=EUR
1:40:28.684 PM 3DS: auth
validatesuccess Proceeding with payment authorization country=CY, currency=EUR
1:40:28.237 PM 3DS: auth
validate country=CY, currency=EUR
1:33:40.604 PM 3DS: authvalidatesuccess Proceeding with payment authorization country=CY, currency=EUR
1:33:40.108 PM 3DS: authvalidate country=CY, currency=EUR
1:07:06.813 PM 3DS: auth
validatesuccess Proceeding with payment authorization country=DE, currency=EUR
1:07:06.147 PM 3DS: auth
validate country=DE, currency=EUR
1:03:51.530 PM 3DS: authvalidatesuccess Proceeding with payment authorization country=DE, currency=EUR
1:03:51.117 PM 3DS: authvalidate country=DE, currency=EUR
12:11:21.673 AM 3DS: auth
validatesuccess Proceeding with payment authorization country=DE, currency=EUR
12:11:21.017 AM 3DS: auth
validate country=DE, currency=EUR

my search query:

"3DS: auth_validate country" OR "3DS: auth_validate_success" OR "3DS: auth_validate_error" OR  "3DS: auth_validate_exception" 
| chart 
count(eval(searchmatch("3DS: auth_validate country"))) AS Validate_total 
count(eval(searchmatch("3DS: auth_validate_success"))) AS Validate_success 
count(eval(searchmatch("3DS: auth_validate_error"))) AS Validate_error 
count(eval(searchmatch("3DS: auth_validate_exception"))) AS Validate_exception 
by country 

| table country, Validate_total, Validate_success, Validate_error, Validate_exception, 
| rename Validate_total as "Total Validate Calls"
| rename Validate_success as "Validate Success"
| rename Validate_error as "Validate Error"
| rename Validate_exception as "Validate Exception "
| sort - Validate_total

but the returned table shows double amount of the first string, I was expecting the Total Validate calls to be 2 and 4 too.

country Total Validate Calls    Validate Success    Validate Error  Validate Exception 
CY                 4                                   2                             0                      0
DE                 8                                   4                             0                      0

I can't figure out why. First I suspected it to be a string indexing issue, but if I use the same string in a separate query, it works fine.

Any help greatly appreciated!

0 Karma

Re: Why count searchmatch return double counts?

SplunkTrust
SplunkTrust

The docs say searchmatch has to be used within if so perhaps that's what's causing the problem. Try this alternative query:

"3DS: auth_validate country" OR "3DS: auth_validate_success" OR "3DS: auth_validate_error" OR  "3DS: auth_validate_exception" 
| stats
count(eval(like(_raw, "%3DS: auth_validate country%"))) AS Validate_total,
count(eval(like(_raw, "%3DS: auth_validate_success%"))) AS Validate_success,
count(eval(like(_raw, "%3DS: auth_validate_error%"))) AS Validate_error,
count(eval(like(_raw, "%3DS: auth_validate_exception%"))) AS Validate_exception 
by country 

| table country, Validate_total, Validate_success, Validate_error, Validate_exception, 
| sort - Validate_total
| rename country as Country
| rename Validate_total as "Total Validate Calls"
| rename Validate_success as "Validate Success"
| rename Validate_error as "Validate Error"
| rename Validate_exception as "Validate Exception "
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Highlighted

Re: Why count searchmatch return double counts?

Thanks, that works!

0 Karma