Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does my search with "stats count" return more events than the actual events present?

email2vamsi
Explorer
‎09-21-2016 09:14 AM

Stats count returns nine events for Points-1 & 2.
But as shown in the point-3 below, the actual events count is three.
Why is stats count is displaying more? please help.
These fields are extracted manually. Verbose search did not help too.

1) Output:9

index="index_test1" sourcetype="st_test1" Statusfield="Failure"  Service_Name="Service1" Hostname="myhost1"|stats count as Failed

2) Output: myhost1 -> 9

index="index_test1" sourcetype="st_test1" Statusfield="Failure"  Service_Name="Service1" Hostname="myhost1"|stats count by Hostname

3) Output: 3 events

index="index_test1" sourcetype="st_test1" Statusfield="Failure"  Service_Name="Service1" Hostname="myhost1"
Tags (4)
Reply

acharlieh
Influencer
‎09-21-2016 11:00 AM

For the individual events is Hostname extracted multiple times? (also is your first query actually stats count(Hostname) as failed instead of stats count as failed )?

Take this as a runanywhere example: 

|makeresults count=3 | eval Hostname=mvappend("myhost1","myhost1","myhost1")

I have 3 results, each result has extracted Hostname "myhost1" three times.

doing | stats count(Hostname) after this would return 9 as does | stats count by Hostname... but you can see | stats count returns 3 and |stats dc(Hostname) returns 1

Or all together: 

|makeresults count=3 | eval Hostname=mvappend("myhost1","myhost1","myhost1") | multireport [stats count(Hostname) as n1] [stats count as n2 by Hostname] [stats count as n3] [stats dc(Hostname) as n4] [noop]
Reply

email2vamsi
Explorer
‎09-23-2016 06:48 AM

I have extracted Hostname only once.

For me | stats count returns 9, even though the actual event count is 3 in search.

But in dashbaord both the | stats count and even count are showing 9.

0 Karma
Reply

Justin1224
Communicator
‎09-21-2016 10:51 AM

This is the description on the Splunk site for stats: Calculates aggregate statistics over the results set, such as average, count, and sum. The only thing I can think of is that it is aggregating the events so that you are seeing the same results but in different ways. I'm very new to Splunk though, so I could very well be wrong

0 Karma
Reply

email2vamsi
Explorer
‎09-21-2016 10:10 AM

Stats count returns 9.
Three different events gets displayed that are actually present.

0 Karma
Reply

Justin1224
Communicator
‎09-21-2016 10:02 AM

Are there multiple outputs that are the same? Is it outputting the same thing three times, for the three events you have?

0 Karma
Reply

email2vamsi
Explorer
‎09-21-2016 10:15 AM

The mismatch of count and events happen to some values, not to all..
Three different events gets displayed that are actually present. 

0 Karma
Reply

Justin1224
Communicator
‎09-21-2016 10:38 AM

So there are 6 events that are displayed when using stats count that aren't any of the three that are displayed normally?

0 Karma
Reply

email2vamsi
Explorer
‎09-21-2016 10:44 AM

Yes. In many cases. Many a times the stats count is more than the actual events present.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...