Splunk Search

Why do stats and tstats give different set of results?

Taruchit
Contributor

Hi All,

I tried running the two SPLs below for same index and time range, but got two very different set of results: -

SPL 1: -

|tstats values(host) where index=xxx

SPL 2: -

index=xxx |stats values(host)

 

In SPL 1, I get one value.

In SPL 2. I get six values.

 

I also tried to run the following: -

index=xxx

Checked the fields panel on the left hand side and the host field had values same as SPL 2.

 

Thus, please help to share why the above was observed and how it can be resolved.

Thank you

Labels (2)
0 Karma
1 Solution

actionabledata
Path Finder

In this case, you are not using Data Model (and Acceleration) syntax, so I will ignore that use case.

A tstats command uses data from the tsidx file(s). One of the means that data is put into the tsidx file(s)  is index-time extractions. If the data has NOT been index-time extracted, tstats will not find it.

https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Tstats

https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/Aboutindexedfieldextraction#:~:text=Search%2....

The index=xxx | stats ... function first of all reads ALL data from the index=xxx and THEN performs the stats function on that resulting data.

https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Stats

https://community.splunk.com/t5/Splunk-Search/What-is-tstats-and-why-is-so-much-faster-than-stats/m-...

My theory is that the other 5 host regions do not have index-time extractions performed.

I recommend that you check your props.conf and accompanying transforms.conf file to determine which hosts have index-time field extractions. I suspect you will only find the one host.

Best of luck to you. This type of question and investigation is critical to more efficient uses of Splunk. So keep asking!! 

View solution in original post

Taruchit
Contributor

The host field is not being extracted on index time, it is being extracted at search time on search head cluster.

As the results, tstats command was not getting the values.  

Thank you all for sharing your valuable inputs.

0 Karma

actionabledata
Path Finder

In this case, you are not using Data Model (and Acceleration) syntax, so I will ignore that use case.

A tstats command uses data from the tsidx file(s). One of the means that data is put into the tsidx file(s)  is index-time extractions. If the data has NOT been index-time extracted, tstats will not find it.

https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Tstats

https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/Aboutindexedfieldextraction#:~:text=Search%2....

The index=xxx | stats ... function first of all reads ALL data from the index=xxx and THEN performs the stats function on that resulting data.

https://docs.splunk.com/Documentation/Splunk/9.0.0/SearchReference/Stats

https://community.splunk.com/t5/Splunk-Search/What-is-tstats-and-why-is-so-much-faster-than-stats/m-...

My theory is that the other 5 host regions do not have index-time extractions performed.

I recommend that you check your props.conf and accompanying transforms.conf file to determine which hosts have index-time field extractions. I suspect you will only find the one host.

Best of luck to you. This type of question and investigation is critical to more efficient uses of Splunk. So keep asking!! 

isoutamo
SplunkTrust
SplunkTrust

In some version there is a bug with using tstats with _internal index. See e.g. https://community.splunk.com/t5/Splunk-Enterprise/what-makes-tstats-on-internal-go-wrong/m-p/572087

r. Ismo

0 Karma

splunkxorsplunk
Explorer

Probably some of the data is not being indexed properly. Please check this out

https://community.splunk.com/t5/Splunk-Search/What-is-wrong-with-my-tstats-command/m-p/593165/highli...

Taruchit
Contributor

Thank you @splunkxorsplunk  for sharing your inputs. 

Can you please share how I can resolve the issue?  I was unable to follow the solution given in the thread you shared.

Thank you

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...