Why do these two searches return different results...

pladamsplunk · ‎10-10-2016

I've downloaded an application for web analytics, however on two separate dashboards it shows two difference values for "pageviews" which I would think should be consistent throughout the data. The two searches for page views are the following.

| tstats summariesonly=t max(Web.http_session_pageviews) FROM datamodel=Web WHERE Web.site="*" "Web.eventtype"=pageview GROUPBY Web.http_session

....this search produces the value 60,000

| tstats summariesonly=t count(Web.http_session_pageviews) FROM datamodel=Web WHERE Web.site="*" "Web.eventtype"=pageview GROUPBY Web.http_session

... this search produces the value 230,000

Can anyone help me understand the difference between these two searches and why they are returning different values (even though I believe they should be returning the same value since pageviews in the data is a constant value) ?

sundareshr · ‎10-10-2016

The difference is between max and count. The first query is returning the max value in http_session_pageviews field, whereas the second query is returning the count of events.

Why do these two searches return different results for page views?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Why do these two searches return different results for page views?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem