Why do these two searches return different results...

pladamsplunk · ‎10-10-2016

I've downloaded an application for web analytics, however on two separate dashboards it shows two difference values for "pageviews" which I would think should be consistent throughout the data. The two searches for page views are the following.

| tstats summariesonly=t max(Web.http_session_pageviews) FROM datamodel=Web WHERE Web.site="*" "Web.eventtype"=pageview GROUPBY Web.http_session

....this search produces the value 60,000

| tstats summariesonly=t count(Web.http_session_pageviews) FROM datamodel=Web WHERE Web.site="*" "Web.eventtype"=pageview GROUPBY Web.http_session

... this search produces the value 230,000

Can anyone help me understand the difference between these two searches and why they are returning different values (even though I believe they should be returning the same value since pageviews in the data is a constant value) ?

sundareshr · ‎10-10-2016

The difference is between max and count. The first query is returning the max value in http_session_pageviews field, whereas the second query is returning the count of events.

Why do these two searches return different results for page views?

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?

Why do these two searches return different results for page views?

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...